Edit tour

Windows Analysis Report
Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Overview

General Information

Sample name:	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Analysis ID:	1637714
MD5:	e160de033812eb66ef818ef415e8ff84
SHA1:	da4d6e7ad211d7a7db5e39002bd4f972c530013d
SHA256:	1827dfee3f5db9c0924437ebc91434d916f36f7ed1be8b643d2df2fb9d7e07db
Tags:	exeuser-James_inthe_box
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe" MD5: E160DE033812EB66EF818EF415E8FF84)

powershell.exe (PID: 7928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7532 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 8016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe (PID: 8188 cmdline: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe" MD5: E160DE033812EB66EF818EF415E8FF84)

svchost.exe (PID: 8016 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

FCYBBfGXQ.exe (PID: 7508 cmdline: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe MD5: E160DE033812EB66EF818EF415E8FF84)

schtasks.exe (PID: 5548 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FCYBBfGXQ.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe" MD5: E160DE033812EB66EF818EF415E8FF84)

SIHClient.exe (PID: 5548 cmdline: C:\Windows\System32\sihclient.exe /cv AYwrbjd6P0exK9ixJzgDPQ.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

svchost.exe (PID: 5140 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "export.dryer@friuleir.com", "Password": "Godisgood101", "Server": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf70f:$a1: get_encryptedPassword 0xfa37:$a2: get_encryptedUsername 0xf4aa:$a3: get_timePasswordChanged 0xf5cb:$a4: get_passwordField 0xf725:$a5: set_encryptedPassword 0x11081:$a7: get_logins 0x10d32:$a8: GetOutlookPasswords 0x10b24:$a9: StartKeylogger 0x10fd1:$a10: KeyLoggerEventArgs 0x10b81:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2390271872.0000000000417000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf317:$a1: get_encryptedPassword 0x26137:$a1: get_encryptedPassword 0x3cd57:$a1: get_encryptedPassword 0xf63f:$a2: get_encryptedUsername 0x2645f:$a2: get_encryptedUsername 0x3d07f:$a2: get_encryptedUsername 0xf0b2:$a3: get_timePasswordChanged 0x25ed2:$a3: get_timePasswordChanged 0x3caf2:$a3: get_timePasswordChanged 0xf1d3:$a4: get_passwordField 0x25ff3:$a4: get_passwordField 0x3cc13:$a4: get_passwordField 0xf32d:$a5: set_encryptedPassword 0x2614d:$a5: set_encryptedPassword 0x3cd6d:$a5: set_encryptedPassword 0x10c89:$a7: get_logins 0x27aa9:$a7: get_logins 0x3e6c9:$a7: get_logins 0x1093a:$a8: GetOutlookPasswords 0x2775a:$a8: GetOutlookPasswords 0x3e37a:$a8: GetOutlookPasswords
00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1374f:$a1: get_encryptedPassword 0x2a36f:$a1: get_encryptedPassword 0x13a77:$a2: get_encryptedUsername 0x2a697:$a2: get_encryptedUsername 0x134ea:$a3: get_timePasswordChanged 0x2a10a:$a3: get_timePasswordChanged 0x1360b:$a4: get_passwordField 0x2a22b:$a4: get_passwordField 0x13765:$a5: set_encryptedPassword 0x2a385:$a5: set_encryptedPassword 0x150c1:$a7: get_logins 0x2bce1:$a7: get_logins 0x14d72:$a8: GetOutlookPasswords 0x2b992:$a8: GetOutlookPasswords 0x14b64:$a9: StartKeylogger 0x2b784:$a9: StartKeylogger 0x15011:$a10: KeyLoggerEventArgs 0x2bc31:$a10: KeyLoggerEventArgs 0x14bc1:$a11: KeyLoggerEventArgsEventHandler 0x2b7e1:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2394209871.0000000002D44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2394126088.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2cdd2:$a1: get_encryptedPassword 0x2d0eb:$a2: get_encryptedUsername 0x2cb81:$a3: get_timePasswordChanged 0x2cca2:$a4: get_passwordField 0x2cde8:$a5: set_encryptedPassword 0x2e6eb:$a7: get_logins 0x2e39c:$a8: GetOutlookPasswords 0x2e18e:$a9: StartKeylogger 0x2e63b:$a10: KeyLoggerEventArgs 0x2e1eb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x536d:$a1: get_encryptedPassword 0x5686:$a2: get_encryptedUsername 0x511c:$a3: get_timePasswordChanged 0x523d:$a4: get_passwordField 0x5383:$a5: set_encryptedPassword 0x6c86:$a7: get_logins 0x6937:$a8: GetOutlookPasswords 0x6729:$a9: StartKeylogger 0x6bd6:$a10: KeyLoggerEventArgs 0x6786:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FCYBBfGXQ.exe PID: 7508	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 7508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 7508	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 7508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 7508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35212:$a1: get_encryptedPassword 0x556e9:$a1: get_encryptedPassword 0x3552b:$a2: get_encryptedUsername 0x55a02:$a2: get_encryptedUsername 0x34fc1:$a3: get_timePasswordChanged 0x55498:$a3: get_timePasswordChanged 0x350e2:$a4: get_passwordField 0x555b9:$a4: get_passwordField 0x35228:$a5: set_encryptedPassword 0x556ff:$a5: set_encryptedPassword 0x36b2b:$a7: get_logins 0x57002:$a7: get_logins 0x367dc:$a8: GetOutlookPasswords 0x56cb3:$a8: GetOutlookPasswords 0x365ce:$a9: StartKeylogger 0x56aa5:$a9: StartKeylogger 0x36a7b:$a10: KeyLoggerEventArgs 0x56f52:$a10: KeyLoggerEventArgs 0x3662b:$a11: KeyLoggerEventArgsEventHandler 0x56b02:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FCYBBfGXQ.exe PID: 1628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FCYBBfGXQ.exe PID: 1628	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14171:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1366f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1397d:$a4: \Orbitum\User Data\Default\Login Data 0x14775:$a5: \Kometa\User Data\Default\Login Data
13.2.FCYBBfGXQ.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
8.2.FCYBBfGXQ.exe.3ebd530.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12371:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1186f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b7d:$a4: \Orbitum\User Data\Default\Login Data 0x12975:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12371:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1186f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b7d:$a4: \Orbitum\User Data\Default\Login Data 0x12975:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25dff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26127:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25b9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25cbb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x25e15:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27771:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27422:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27214:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x276c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27271:$a11: KeyLoggerEventArgsEventHandler
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14171:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad91:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1366f:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a28f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1397d:$a4: \Orbitum\User Data\Default\Login Data 0x2a59d:$a4: \Orbitum\User Data\Default\Login Data 0x14775:$a5: \Kometa\User Data\Default\Login Data 0x2b395:$a5: \Kometa\User Data\Default\Login Data
8.2.FCYBBfGXQ.exe.3675570.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
8.2.FCYBBfGXQ.exe.3675570.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12371:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1186f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b7d:$a4: \Orbitum\User Data\Default\Login Data 0x12975:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12371:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1186f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b7d:$a4: \Orbitum\User Data\Default\Login Data 0x12975:$a5: \Kometa\User Data\Default\Login Data
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25dff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26127:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25b9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25cbb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x25e15:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27771:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27422:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27214:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x276c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27271:$a11: KeyLoggerEventArgsEventHandler
8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14171:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad91:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1366f:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a28f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1397d:$a4: \Orbitum\User Data\Default\Login Data 0x2a59d:$a4: \Orbitum\User Data\Default\Login Data 0x14775:$a5: \Kometa\User Data\Default\Login Data 0x2b395:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25fff:$a1: get_encryptedPassword 0x3cc1f:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26327:$a2: get_encryptedUsername 0x3cf47:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25d9a:$a3: get_timePasswordChanged 0x3c9ba:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ebb:$a4: get_passwordField 0x3cadb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26015:$a5: set_encryptedPassword 0x3cc35:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27971:$a7: get_logins 0x3e591:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27622:$a8: GetOutlookPasswords 0x3e242:$a8: GetOutlookPasswords
0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14171:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af91:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41bb1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1366f:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a48f:$a3: \Google\Chrome\User Data\Default\Login Data 0x410af:$a3: \Google\Chrome\User Data\Default\Login Data 0x1397d:$a4: \Orbitum\User Data\Default\Login Data 0x2a79d:$a4: \Orbitum\User Data\Default\Login Data 0x413bd:$a4: \Orbitum\User Data\Default\Login Data 0x14775:$a5: \Kometa\User Data\Default\Login Data 0x2b595:$a5: \Kometa\User Data\Default\Login Data 0x421b5:$a5: \Kometa\User Data\Default\Login Data
Click to see the 44 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ParentImage: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ParentProcessId: 7816, ParentProcessName: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ProcessId: 7928, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe, ParentImage: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe, ParentProcessId: 7508, ParentProcessName: FCYBBfGXQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp", ProcessId: 5548, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ParentImage: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ParentProcessId: 7816, ParentProcessName: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", ProcessId: 8016, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ParentImage: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ParentProcessId: 7816, ParentProcessName: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 8016, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ParentImage: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ParentProcessId: 7816, ParentProcessName: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ProcessId: 7928, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5140, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe", ParentImage: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ParentProcessId: 7816, ParentProcessName: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp", ProcessId: 8016, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T21:17:15.567716+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49720	132.226.8.169	80	TCP
2025-03-13T21:17:20.333351+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49724	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1306911

Found malware configuration

Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "export.dryer@friuleir.com", "Password": "Godisgood101", "Server": "us2.smtp.mailhostbox.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49726 version: TLS 1.0

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 096047AAh	0_2_09603F6B
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 096047AAh	0_2_0960435C
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 010C9731h	7_2_010C9480
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 010C9E5Ah	7_2_010C9A30
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 010C9E5Ah	7_2_010C9D87
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C5E15h	7_2_052C5AD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C47C9h	7_2_052C4520
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C8830h	7_2_052C8588
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C76D0h	7_2_052C7428
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CF700h	7_2_052CF458
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C76D0h	7_2_052C7428
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CE9F8h	7_2_052CE750
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C5929h	7_2_052C5680
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C83D8h	7_2_052C8130
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CE5A0h	7_2_052CE180
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CF2A8h	7_2_052CF000
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C54D1h	7_2_052C5228
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C5079h	7_2_052C4DD0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C7F80h	7_2_052C7CD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C7278h	7_2_052C6FD0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C4C21h	7_2_052C4978
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CFB58h	7_2_052CF8B0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052C7B28h	7_2_052C7880
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 4x nop then jmp 052CEE50h	7_2_052CEBA8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 04693A82h	8_2_04693243
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 04693A82h	8_2_04693634
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 01309731h	13_2_01309480
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 01309E5Ah	13_2_01309A30
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 01309E5Ah	13_2_01309D87
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B47C9h	13_2_053B4520
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B8830h	13_2_053B8588
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B76D0h	13_2_053B7428
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B76D0h	13_2_053B7428
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BF700h	13_2_053BF458
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BE9F8h	13_2_053BE750
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B5929h	13_2_053B5680
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B83D8h	13_2_053B8130
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BF2A8h	13_2_053BF000
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B54D1h	13_2_053B5228
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B7278h	13_2_053B7200
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BE5A0h	13_2_053BE2F8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B5079h	13_2_053B4DD0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B7F80h	13_2_053B7CD8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B7278h	13_2_053B6FD0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B4C21h	13_2_053B4978
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BFB58h	13_2_053BF8B0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B7B28h	13_2_053B7880
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053BEE50h	13_2_053BEBA8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 4x nop then jmp 053B5E15h	13_2_053B5AD8

Source: global traffic

TCP traffic: 192.168.2.4:51613 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49724 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49720 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49726 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: svchost.exe, 0000000A.00000002.2393825306.0000018FD8000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7DB8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7DB8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7DB8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7DED000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.10.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1231356862.00000000026BE000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svchost.exe, 0000000E.00000002.1364694018.000002653A213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.1364813080.000002653A259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000E.00000002.1364883770.000002653A270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364159071.000002653A25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363931769.000002653A26E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.1364883770.000002653A270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363931769.000002653A26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.1363888996.000002653A275000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364904290.000002653A277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364159071.000002653A25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364865307.000002653A268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.1364227661.000002653A231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364865307.000002653A268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7E62000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7E62000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 0000000A.00000003.1203809769.0000018FD7E62000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgX
Source: svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.1364175134.000002653A249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364175134.000002653A249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.1364813080.000002653A259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPC40C.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP1DA1.tmp

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC2650	0_2_00DC2650
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC13B0	0_2_00DC13B0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC35B0	0_2_00DC35B0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC9660	0_2_00DC9660
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC1C58	0_2_00DC1C58
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC2109	0_2_00DC2109
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC4498	0_2_00DC4498
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC44A8	0_2_00DC44A8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC0871	0_2_00DC0871
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC4FD8	0_2_00DC4FD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC4FC9	0_2_00DC4FC9
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC52C9	0_2_00DC52C9
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC1355	0_2_00DC1355
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC1311	0_2_00DC1311
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC3581	0_2_00DC3581
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC35A3	0_2_00DC35A3
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC1698	0_2_00DC1698
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5648	0_2_00DC5648
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5638	0_2_00DC5638
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5838	0_2_00DC5838
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5829	0_2_00DC5829
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5A80	0_2_00DC5A80
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC5A70	0_2_00DC5A70
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_09600040	0_2_09600040
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_096063C8	0_2_096063C8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_09605638	0_2_09605638
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADEBB48	0_2_0ADEBB48
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE0040	0_2_0ADE0040
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE3540	0_2_0ADE3540
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADEF960	0_2_0ADEF960
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE4F50	0_2_0ADE4F50
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010CC530	7_2_010CC530
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010C27B9	7_2_010C27B9
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010C2DD1	7_2_010C2DD1
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010C9480	7_2_010C9480
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010CC521	7_2_010CC521
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_010C946F	7_2_010C946F
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C6138	7_2_052C6138
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C1362	7_2_052C1362
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CBC60	7_2_052CBC60
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CAF00	7_2_052CAF00
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C89E0	7_2_052C89E0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C0AB8	7_2_052C0AB8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C5AD8	7_2_052C5AD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C4520	7_2_052C4520
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C450F	7_2_052C450F
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C8579	7_2_052C8579
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C8588	7_2_052C8588
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7428	7_2_052C7428
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7418	7_2_052C7418
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CF448	7_2_052CF448
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CF458	7_2_052CF458
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7428	7_2_052C7428
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CE740	7_2_052CE740
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CE750	7_2_052CE750
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C5680	7_2_052C5680
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C8120	7_2_052C8120
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C8130	7_2_052C8130
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CE180	7_2_052CE180
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CF000	7_2_052CF000
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C0320	7_2_052C0320
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C0330	7_2_052C0330
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C5228	7_2_052C5228
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C521A	7_2_052C521A
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C4DC0	7_2_052C4DC0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C4DD0	7_2_052C4DD0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7CC8	7_2_052C7CC8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C0CD8	7_2_052C0CD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7CD8	7_2_052C7CD8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CEFF0	7_2_052CEFF0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C6FC1	7_2_052C6FC1
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C6FC3	7_2_052C6FC3
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C6FD0	7_2_052C6FD0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C4969	7_2_052C4969
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C4978	7_2_052C4978
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C89D0	7_2_052C89D0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7871	7_2_052C7871
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CF8A0	7_2_052CF8A0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CF8B0	7_2_052CF8B0
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C7880	7_2_052C7880
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CEBA8	7_2_052CEBA8
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052CEB98	7_2_052CEB98
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 7_2_052C5ACA	7_2_052C5ACA
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02482650	8_2_02482650
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_024813B0	8_2_024813B0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02489660	8_2_02489660
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_024835B0	8_2_024835B0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02481C58	8_2_02481C58
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02482109	8_2_02482109
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02484498	8_2_02484498
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_024844A8	8_2_024844A8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02480871	8_2_02480871
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02484FC9	8_2_02484FC9
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02484FD8	8_2_02484FD8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_024852C9	8_2_024852C9
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02481312	8_2_02481312
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485648	8_2_02485648
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485638	8_2_02485638
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02481698	8_2_02481698
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_024834B0	8_2_024834B0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485A70	8_2_02485A70
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485A80	8_2_02485A80
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485829	8_2_02485829
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02485838	8_2_02485838
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_04690040	8_2_04690040
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A71BB38	8_2_0A71BB38
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A710040	8_2_0A710040
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A713540	8_2_0A713540
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A71FA80	8_2_0A71FA80
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A71BB28	8_2_0A71BB28
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A714EF8	8_2_0A714EF8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_0130C530	13_2_0130C530
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_013027B9	13_2_013027B9
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_01302DD1	13_2_01302DD1
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_01309480	13_2_01309480
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_013019B8	13_2_013019B8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_0130C521	13_2_0130C521
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_0130946F	13_2_0130946F
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_0130FC9C	13_2_0130FC9C
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BBC50	13_2_053BBC50
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B4520	13_2_053B4520
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B450F	13_2_053B450F
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B8579	13_2_053B8579
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B8588	13_2_053B8588
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7428	13_2_053B7428
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7418	13_2_053B7418
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7428	13_2_053B7428
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BF458	13_2_053BF458
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BF448	13_2_053BF448
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BE750	13_2_053BE750
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BE740	13_2_053BE740
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B566F	13_2_053B566F
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B5680	13_2_053B5680
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B6138	13_2_053B6138
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B8130	13_2_053B8130
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B8120	13_2_053B8120
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BE170	13_2_053BE170
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BF000	13_2_053BF000
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B0330	13_2_053B0330
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B0320	13_2_053B0320
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B5228	13_2_053B5228
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B521A	13_2_053B521A
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BE2F8	13_2_053BE2F8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B4DD0	13_2_053B4DD0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B4DC0	13_2_053B4DC0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B0CD8	13_2_053B0CD8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7CD8	13_2_053B7CD8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7CC8	13_2_053B7CC8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BEFF0	13_2_053BEFF0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B6FD0	13_2_053B6FD0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B6FC3	13_2_053B6FC3
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BAE78	13_2_053BAE78
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B4978	13_2_053B4978
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B4969	13_2_053B4969
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B89E0	13_2_053B89E0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B89D0	13_2_053B89D0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7871	13_2_053B7871
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BF8B0	13_2_053BF8B0
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BF8A1	13_2_053BF8A1
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B7880	13_2_053B7880
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BEBA8	13_2_053BEBA8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053BEB98	13_2_053BEB98
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B0AB8	13_2_053B0AB8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B5AD8	13_2_053B5AD8
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 13_2_053B5ACA	13_2_053B5ACA

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002936000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1186128984.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000000.1135530069.0000000000580000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexxSS.exe8 vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1195823346.000000000ACE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1195167799.0000000009580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390605208.0000000000D77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Binary or memory string: OriginalFilenamexxSS.exe8 vs Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FCYBBfGXQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, e4qfACuOHaxupbOMYl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, DI9ybLMufZZilrU6Wq.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/24@2/3

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Mutant created: NULL
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\ubqUbcXdIWmniVQYyGmzASrfXLp
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp

Jump to behavior

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File read: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv AYwrbjd6P0exK9ixJzgDPQ.0.2
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, DI9ybLMufZZilrU6Wq.cs	.Net Code: IRn9WVW3sh System.Reflection.Assembly.Load(byte[])
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, DI9ybLMufZZilrU6Wq.cs	.Net Code: IRn9WVW3sh System.Reflection.Assembly.Load(byte[])
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, DI9ybLMufZZilrU6Wq.cs	.Net Code: IRn9WVW3sh System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_00DC0B61 push ss; ret	0_2_00DC0B65
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_09604647 push ebx; ret	0_2_09604649
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE5E7D push E909A25Eh; ret	0_2_0ADE5E99
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE5E6B push E909A25Eh; ret	0_2_0ADE5E99
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE5E63 push E80F6C5Eh; ret	0_2_0ADE5E69
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE7F63 push E802005Eh; ret	0_2_0ADE7F69
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE7C63 push E812515Eh; ret	0_2_0ADE7C69
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Code function: 0_2_0ADE5D62 push E801045Eh; ret	0_2_0ADE5D69
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_02480B61 push ss; ret	8_2_02480B65
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0469584D push FFFFFF8Bh; iretd	8_2_0469584F
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Code function: 8_2_0A717C62 push E810635Eh; ret	8_2_0A717C69

Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Static PE information: section name: .text entropy: 7.723471960526681
Source: FCYBBfGXQ.exe.0.dr	Static PE information: section name: .text entropy: 7.723471960526681

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, qeeVOC9t6LdtiXkrxm.cs	High entropy of concatenated method names: 'mBYoO4qfAC', 'jHaoMxupbO', 'EjHo7SAS5v', 'Rh3offlGMK', 'Yj1oUnvfEZ', 'BfMogNgyJJ', 'GsOyVAJ9254fQXb9NQ', 'zjjrr0KjuSxdBOHsTH', 'XVxoo6fLOF', 'HsioCgxNVN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, gGMKApqdipns1Pj1nv.cs	High entropy of concatenated method names: 'bAjdbtsWQ7', 'qSMdvhI7Zb', 'DIpLxACj1H', 'dB5LiRNkMG', 'SxOLjJacXt', 'tVvLI2O1Uh', 'LufLc2iWxd', 'eJlLnCa2Zx', 'PytL396snG', 'IFqLAMyyNZ'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, m648Qv4mCO8JQlX54L.cs	High entropy of concatenated method names: 'e6fWiwR5Y', 'jalhmSf3k', 'UBdtQv8mh', 'QJcvSJFgt', 'A3dB5YEPD', 'SWpqaqkds', 'Gff3VeUINjjrZB32fg', 'qtuxQM2eCY3tvxTGyK', 'BZc2oHPbS', 'j76SNyaEM'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, XKkY9ARJ5xbodNuayd.cs	High entropy of concatenated method names: 'gjwEUoZvTZ', 'EfGETWhwgW', 'VZ3EElBT91', 'xnREkErU5R', 'eNpEFo0mfX', 'iZdEHYTCr5', 'Dispose', 'ft12GVqpvu', 'qhW2lqvlOs', 'jYl2LXrn12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, QyystgluoasAyrDymm.cs	High entropy of concatenated method names: 'Dispose', 'HbooNdNuay', 'gbM460ISHD', 'zpnj8XVbhm', 'i0QoPYYMp5', 'Tb9ozHvNG6', 'ProcessDialogKey', 'drk4mJkDMI', 'hg04oFRx0a', 'uIs44sfpN5'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, nEZtfMXNgyJJHbGWpf.cs	High entropy of concatenated method names: 'QFBDY4RR0Z', 'XykDle8LOC', 'hNyDdFSk5P', 'dnbDONkdgc', 'ArxDMD2Rhy', 'UFedVRHFvj', 'j90d5SPKQl', 'Vm8dRGygik', 'iVgdsR6Hsp', 'dmAdNM03hO'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, doIyKGQPyheXtjYFsl.cs	High entropy of concatenated method names: 'A1tUA9bapt', 'GwAUpxGkuW', 'OXbUQXJSM9', 'Xv4UZ0Rmk3', 'byAU6jHR3k', 'MGFUxFr5Aj', 'hsHUiUvbNu', 'k0gUjvaHDV', 'XGPUIkrYSr', 'JOQUcCECqj'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, B9eGtromuKyCA1k7ePW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WBqS1qKxZ9', 'tF0SpnQ0Lg', 'KgySy1Lagr', 'n06SQOsqIo', 'LRVSZ2w7il', 'hOsSw8sFiF', 'tmuSJ0lQXC'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, da049wcoy7EfKv8UyX.cs	High entropy of concatenated method names: 'XclOGOGFrU', 'Lq6OL6MSOR', 'sseODlSErJ', 'kWYDP0WymT', 'XD3DzaA1NT', 'R8QOm56QdM', 'gCBOoDPPpg', 'o1GO4CAB04', 'nLcOCsuM4h', 'Or2O9rOy1Y'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, Jg5cN6L1o0pj6epmNC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rTP4NO149F', 'u5p4PUfCSb', 'rmZ4zbUTIS', 'GQiCmBmXZP', 'nTlCoBNLXm', 'HwsC4ktZ38', 'ciaCCqtIEF', 'U0672k1v22m85bCCoq7'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, WfpN5ePW8Je7VgoiXo.cs	High entropy of concatenated method names: 'uTYSLS0EDC', 'I8MSdZmBY7', 'xmOSDH6ZPI', 'PIASOUFGs4', 'YVFSEp3JjA', 'OJKSMaVWje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, e4qfACuOHaxupbOMYl.cs	High entropy of concatenated method names: 'ffGlQdXZP7', 't8clZ4FHGy', 'Toflwyj4qy', 'F2QlJQ21Ru', 'OZJlVCMN7g', 'Sfil5cPTrN', 'vndlRNSbXP', 't7rlsLCcBJ', 'c3llN8CRu9', 'jo0lPToped'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, Xcyh8BBjHSAS5vQh3f.cs	High entropy of concatenated method names: 'Ga5LhTfYDI', 'GDKLtmJfxh', 'Xy9LuH7Ra7', 'BmkLBOoBlX', 'OutLUnAibQ', 'rs5LgLFqRT', 'zoyLTN9dG6', 'Eh4L2Rg2p1', 'Hd8LEKvM1u', 'GIeLSVG1ah'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, c8aFkxo94qYycW9X8Oe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h4beE9eRAu', 'ITEeSiDmrT', 'JJBek5c2Gq', 'GePeeGq9Rk', 'gyCeF5d5Jp', 'Iuee0wEw6x', 'lLAeHqmG12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, Y2t7Vy3KyIKisBdVbD.cs	High entropy of concatenated method names: 'MjCOK7Sv8c', 'Fm1O85tu5X', 'RGgOWk3yld', 'uOBOhTNJG7', 'IpOObDAHgG', 'xtQOtbgkl1', 'OwdOvE86BA', 'DexOuRNQkh', 'mOCOBpQU9O', 'XLVOqB3rDc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, H4FRp3oo8dlriSoQ37Y.cs	High entropy of concatenated method names: 'VH9SP8dwBj', 'fBWSzPx27j', 'P1AkmeapH7', 'HuFkoi7VvI', 'DvAk4wqs0p', 'G6XkCIldM2', 'uK1k9duShK', 'KuekYTGTXa', 'V6ZkGDE5pO', 'cWMklUhJKc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, z1UvdTJqWj3XUVxL82.cs	High entropy of concatenated method names: 'oOyT7cqARC', 'zINTf6f3xY', 'ToString', 'CFWTG46gvR', 'H1KTlEXIsA', 'bHZTLTQexC', 'AgpTdnpcpB', 'MScTDymkyD', 'MIuTOsOMjr', 'ocJTMS6dZN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, WDaJ0bwLu1dtqAT27O.cs	High entropy of concatenated method names: 'ToString', 'Fcfg1liQVV', 'onGg6uvvgo', 'rNtgxKGoPC', 'yvRgiWvEAC', 'WEfgjDHQJG', 'CKHgIKwVNv', 'ji5gcq51b0', 'x1sgnBUyKs', 'T35g3E7xKk'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, mcELAGybYqYAornhmC.cs	High entropy of concatenated method names: 'QFQrupacJL', 'IHHrB2KZ55', 'nRtrX73lM9', 'eTNr6Loq2j', 'LK2riZLVZu', 'IEwrjqp3vf', 'KVBrc9wbyf', 'abKrnFAEHh', 'bZ5rAma7VI', 'uAPr1jH6k3'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, K8x27AzHjEaNYk7LDO.cs	High entropy of concatenated method names: 'rp9St3VgDw', 'hyaSupV9EW', 'XMQSB23y79', 'AHKSXn5dJE', 'HkoS6FtPSW', 'FthSiECHno', 'mXISjMQn2c', 'wLsSHkwQZw', 'hp5SKwob3j', 'fk1S8xRiRT'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, DI9ybLMufZZilrU6Wq.cs	High entropy of concatenated method names: 'CpeCYvNZBC', 'LoTCGw90B4', 'vKiClNB8qY', 'qNdCLSqi7I', 'kPoCdeg8q9', 'Lc0CDLLuwT', 'cW7COMZR83', 'pMLCMURFoS', 'PVwCaKV2mx', 'AesC7WeOjy'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, BZ7ryAigp7mIwggcV4.cs	High entropy of concatenated method names: 'r9tDHCjRvt', 'kLEDKd9IOB', 'aZwDWOff0e', 'SoUDhPQusr', 'vA5DtJAL7K', 'gkDDv14mZh', 'WpbDBdQyWd', 'a5gDqQ1sJJ', 'RtXQMHHTNALhICXweSN', 'p20xVFHj71WXANIGXo2'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.4275a60.5.raw.unpack, tJkDMINLg0FRx0akIs.cs	High entropy of concatenated method names: 'PHdEXHWUXI', 'qNYE66vgXE', 'd4GExCiqJQ', 'zCEEiv9Dwk', 'J0tEjvTcX9', 'wJ6EInMhJi', 'dUeEcCdecc', 'piiEn6H3XH', 'WVFE3qOFHh', 'auaEA4B9WW'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, qeeVOC9t6LdtiXkrxm.cs	High entropy of concatenated method names: 'mBYoO4qfAC', 'jHaoMxupbO', 'EjHo7SAS5v', 'Rh3offlGMK', 'Yj1oUnvfEZ', 'BfMogNgyJJ', 'GsOyVAJ9254fQXb9NQ', 'zjjrr0KjuSxdBOHsTH', 'XVxoo6fLOF', 'HsioCgxNVN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, gGMKApqdipns1Pj1nv.cs	High entropy of concatenated method names: 'bAjdbtsWQ7', 'qSMdvhI7Zb', 'DIpLxACj1H', 'dB5LiRNkMG', 'SxOLjJacXt', 'tVvLI2O1Uh', 'LufLc2iWxd', 'eJlLnCa2Zx', 'PytL396snG', 'IFqLAMyyNZ'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, m648Qv4mCO8JQlX54L.cs	High entropy of concatenated method names: 'e6fWiwR5Y', 'jalhmSf3k', 'UBdtQv8mh', 'QJcvSJFgt', 'A3dB5YEPD', 'SWpqaqkds', 'Gff3VeUINjjrZB32fg', 'qtuxQM2eCY3tvxTGyK', 'BZc2oHPbS', 'j76SNyaEM'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, XKkY9ARJ5xbodNuayd.cs	High entropy of concatenated method names: 'gjwEUoZvTZ', 'EfGETWhwgW', 'VZ3EElBT91', 'xnREkErU5R', 'eNpEFo0mfX', 'iZdEHYTCr5', 'Dispose', 'ft12GVqpvu', 'qhW2lqvlOs', 'jYl2LXrn12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, QyystgluoasAyrDymm.cs	High entropy of concatenated method names: 'Dispose', 'HbooNdNuay', 'gbM460ISHD', 'zpnj8XVbhm', 'i0QoPYYMp5', 'Tb9ozHvNG6', 'ProcessDialogKey', 'drk4mJkDMI', 'hg04oFRx0a', 'uIs44sfpN5'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, nEZtfMXNgyJJHbGWpf.cs	High entropy of concatenated method names: 'QFBDY4RR0Z', 'XykDle8LOC', 'hNyDdFSk5P', 'dnbDONkdgc', 'ArxDMD2Rhy', 'UFedVRHFvj', 'j90d5SPKQl', 'Vm8dRGygik', 'iVgdsR6Hsp', 'dmAdNM03hO'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, doIyKGQPyheXtjYFsl.cs	High entropy of concatenated method names: 'A1tUA9bapt', 'GwAUpxGkuW', 'OXbUQXJSM9', 'Xv4UZ0Rmk3', 'byAU6jHR3k', 'MGFUxFr5Aj', 'hsHUiUvbNu', 'k0gUjvaHDV', 'XGPUIkrYSr', 'JOQUcCECqj'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, B9eGtromuKyCA1k7ePW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WBqS1qKxZ9', 'tF0SpnQ0Lg', 'KgySy1Lagr', 'n06SQOsqIo', 'LRVSZ2w7il', 'hOsSw8sFiF', 'tmuSJ0lQXC'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, da049wcoy7EfKv8UyX.cs	High entropy of concatenated method names: 'XclOGOGFrU', 'Lq6OL6MSOR', 'sseODlSErJ', 'kWYDP0WymT', 'XD3DzaA1NT', 'R8QOm56QdM', 'gCBOoDPPpg', 'o1GO4CAB04', 'nLcOCsuM4h', 'Or2O9rOy1Y'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, Jg5cN6L1o0pj6epmNC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rTP4NO149F', 'u5p4PUfCSb', 'rmZ4zbUTIS', 'GQiCmBmXZP', 'nTlCoBNLXm', 'HwsC4ktZ38', 'ciaCCqtIEF', 'U0672k1v22m85bCCoq7'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, WfpN5ePW8Je7VgoiXo.cs	High entropy of concatenated method names: 'uTYSLS0EDC', 'I8MSdZmBY7', 'xmOSDH6ZPI', 'PIASOUFGs4', 'YVFSEp3JjA', 'OJKSMaVWje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, e4qfACuOHaxupbOMYl.cs	High entropy of concatenated method names: 'ffGlQdXZP7', 't8clZ4FHGy', 'Toflwyj4qy', 'F2QlJQ21Ru', 'OZJlVCMN7g', 'Sfil5cPTrN', 'vndlRNSbXP', 't7rlsLCcBJ', 'c3llN8CRu9', 'jo0lPToped'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, Xcyh8BBjHSAS5vQh3f.cs	High entropy of concatenated method names: 'Ga5LhTfYDI', 'GDKLtmJfxh', 'Xy9LuH7Ra7', 'BmkLBOoBlX', 'OutLUnAibQ', 'rs5LgLFqRT', 'zoyLTN9dG6', 'Eh4L2Rg2p1', 'Hd8LEKvM1u', 'GIeLSVG1ah'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, c8aFkxo94qYycW9X8Oe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h4beE9eRAu', 'ITEeSiDmrT', 'JJBek5c2Gq', 'GePeeGq9Rk', 'gyCeF5d5Jp', 'Iuee0wEw6x', 'lLAeHqmG12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, Y2t7Vy3KyIKisBdVbD.cs	High entropy of concatenated method names: 'MjCOK7Sv8c', 'Fm1O85tu5X', 'RGgOWk3yld', 'uOBOhTNJG7', 'IpOObDAHgG', 'xtQOtbgkl1', 'OwdOvE86BA', 'DexOuRNQkh', 'mOCOBpQU9O', 'XLVOqB3rDc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, H4FRp3oo8dlriSoQ37Y.cs	High entropy of concatenated method names: 'VH9SP8dwBj', 'fBWSzPx27j', 'P1AkmeapH7', 'HuFkoi7VvI', 'DvAk4wqs0p', 'G6XkCIldM2', 'uK1k9duShK', 'KuekYTGTXa', 'V6ZkGDE5pO', 'cWMklUhJKc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, z1UvdTJqWj3XUVxL82.cs	High entropy of concatenated method names: 'oOyT7cqARC', 'zINTf6f3xY', 'ToString', 'CFWTG46gvR', 'H1KTlEXIsA', 'bHZTLTQexC', 'AgpTdnpcpB', 'MScTDymkyD', 'MIuTOsOMjr', 'ocJTMS6dZN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, WDaJ0bwLu1dtqAT27O.cs	High entropy of concatenated method names: 'ToString', 'Fcfg1liQVV', 'onGg6uvvgo', 'rNtgxKGoPC', 'yvRgiWvEAC', 'WEfgjDHQJG', 'CKHgIKwVNv', 'ji5gcq51b0', 'x1sgnBUyKs', 'T35g3E7xKk'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, mcELAGybYqYAornhmC.cs	High entropy of concatenated method names: 'QFQrupacJL', 'IHHrB2KZ55', 'nRtrX73lM9', 'eTNr6Loq2j', 'LK2riZLVZu', 'IEwrjqp3vf', 'KVBrc9wbyf', 'abKrnFAEHh', 'bZ5rAma7VI', 'uAPr1jH6k3'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, K8x27AzHjEaNYk7LDO.cs	High entropy of concatenated method names: 'rp9St3VgDw', 'hyaSupV9EW', 'XMQSB23y79', 'AHKSXn5dJE', 'HkoS6FtPSW', 'FthSiECHno', 'mXISjMQn2c', 'wLsSHkwQZw', 'hp5SKwob3j', 'fk1S8xRiRT'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, DI9ybLMufZZilrU6Wq.cs	High entropy of concatenated method names: 'CpeCYvNZBC', 'LoTCGw90B4', 'vKiClNB8qY', 'qNdCLSqi7I', 'kPoCdeg8q9', 'Lc0CDLLuwT', 'cW7COMZR83', 'pMLCMURFoS', 'PVwCaKV2mx', 'AesC7WeOjy'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, BZ7ryAigp7mIwggcV4.cs	High entropy of concatenated method names: 'r9tDHCjRvt', 'kLEDKd9IOB', 'aZwDWOff0e', 'SoUDhPQusr', 'vA5DtJAL7K', 'gkDDv14mZh', 'WpbDBdQyWd', 'a5gDqQ1sJJ', 'RtXQMHHTNALhICXweSN', 'p20xVFHj71WXANIGXo2'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.9580000.8.raw.unpack, tJkDMINLg0FRx0akIs.cs	High entropy of concatenated method names: 'PHdEXHWUXI', 'qNYE66vgXE', 'd4GExCiqJQ', 'zCEEiv9Dwk', 'J0tEjvTcX9', 'wJ6EInMhJi', 'dUeEcCdecc', 'piiEn6H3XH', 'WVFE3qOFHh', 'auaEA4B9WW'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, qeeVOC9t6LdtiXkrxm.cs	High entropy of concatenated method names: 'mBYoO4qfAC', 'jHaoMxupbO', 'EjHo7SAS5v', 'Rh3offlGMK', 'Yj1oUnvfEZ', 'BfMogNgyJJ', 'GsOyVAJ9254fQXb9NQ', 'zjjrr0KjuSxdBOHsTH', 'XVxoo6fLOF', 'HsioCgxNVN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, gGMKApqdipns1Pj1nv.cs	High entropy of concatenated method names: 'bAjdbtsWQ7', 'qSMdvhI7Zb', 'DIpLxACj1H', 'dB5LiRNkMG', 'SxOLjJacXt', 'tVvLI2O1Uh', 'LufLc2iWxd', 'eJlLnCa2Zx', 'PytL396snG', 'IFqLAMyyNZ'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, m648Qv4mCO8JQlX54L.cs	High entropy of concatenated method names: 'e6fWiwR5Y', 'jalhmSf3k', 'UBdtQv8mh', 'QJcvSJFgt', 'A3dB5YEPD', 'SWpqaqkds', 'Gff3VeUINjjrZB32fg', 'qtuxQM2eCY3tvxTGyK', 'BZc2oHPbS', 'j76SNyaEM'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, XKkY9ARJ5xbodNuayd.cs	High entropy of concatenated method names: 'gjwEUoZvTZ', 'EfGETWhwgW', 'VZ3EElBT91', 'xnREkErU5R', 'eNpEFo0mfX', 'iZdEHYTCr5', 'Dispose', 'ft12GVqpvu', 'qhW2lqvlOs', 'jYl2LXrn12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, QyystgluoasAyrDymm.cs	High entropy of concatenated method names: 'Dispose', 'HbooNdNuay', 'gbM460ISHD', 'zpnj8XVbhm', 'i0QoPYYMp5', 'Tb9ozHvNG6', 'ProcessDialogKey', 'drk4mJkDMI', 'hg04oFRx0a', 'uIs44sfpN5'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, nEZtfMXNgyJJHbGWpf.cs	High entropy of concatenated method names: 'QFBDY4RR0Z', 'XykDle8LOC', 'hNyDdFSk5P', 'dnbDONkdgc', 'ArxDMD2Rhy', 'UFedVRHFvj', 'j90d5SPKQl', 'Vm8dRGygik', 'iVgdsR6Hsp', 'dmAdNM03hO'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, doIyKGQPyheXtjYFsl.cs	High entropy of concatenated method names: 'A1tUA9bapt', 'GwAUpxGkuW', 'OXbUQXJSM9', 'Xv4UZ0Rmk3', 'byAU6jHR3k', 'MGFUxFr5Aj', 'hsHUiUvbNu', 'k0gUjvaHDV', 'XGPUIkrYSr', 'JOQUcCECqj'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, B9eGtromuKyCA1k7ePW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WBqS1qKxZ9', 'tF0SpnQ0Lg', 'KgySy1Lagr', 'n06SQOsqIo', 'LRVSZ2w7il', 'hOsSw8sFiF', 'tmuSJ0lQXC'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, da049wcoy7EfKv8UyX.cs	High entropy of concatenated method names: 'XclOGOGFrU', 'Lq6OL6MSOR', 'sseODlSErJ', 'kWYDP0WymT', 'XD3DzaA1NT', 'R8QOm56QdM', 'gCBOoDPPpg', 'o1GO4CAB04', 'nLcOCsuM4h', 'Or2O9rOy1Y'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, Jg5cN6L1o0pj6epmNC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rTP4NO149F', 'u5p4PUfCSb', 'rmZ4zbUTIS', 'GQiCmBmXZP', 'nTlCoBNLXm', 'HwsC4ktZ38', 'ciaCCqtIEF', 'U0672k1v22m85bCCoq7'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, WfpN5ePW8Je7VgoiXo.cs	High entropy of concatenated method names: 'uTYSLS0EDC', 'I8MSdZmBY7', 'xmOSDH6ZPI', 'PIASOUFGs4', 'YVFSEp3JjA', 'OJKSMaVWje', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, e4qfACuOHaxupbOMYl.cs	High entropy of concatenated method names: 'ffGlQdXZP7', 't8clZ4FHGy', 'Toflwyj4qy', 'F2QlJQ21Ru', 'OZJlVCMN7g', 'Sfil5cPTrN', 'vndlRNSbXP', 't7rlsLCcBJ', 'c3llN8CRu9', 'jo0lPToped'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, Xcyh8BBjHSAS5vQh3f.cs	High entropy of concatenated method names: 'Ga5LhTfYDI', 'GDKLtmJfxh', 'Xy9LuH7Ra7', 'BmkLBOoBlX', 'OutLUnAibQ', 'rs5LgLFqRT', 'zoyLTN9dG6', 'Eh4L2Rg2p1', 'Hd8LEKvM1u', 'GIeLSVG1ah'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, c8aFkxo94qYycW9X8Oe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h4beE9eRAu', 'ITEeSiDmrT', 'JJBek5c2Gq', 'GePeeGq9Rk', 'gyCeF5d5Jp', 'Iuee0wEw6x', 'lLAeHqmG12'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, Y2t7Vy3KyIKisBdVbD.cs	High entropy of concatenated method names: 'MjCOK7Sv8c', 'Fm1O85tu5X', 'RGgOWk3yld', 'uOBOhTNJG7', 'IpOObDAHgG', 'xtQOtbgkl1', 'OwdOvE86BA', 'DexOuRNQkh', 'mOCOBpQU9O', 'XLVOqB3rDc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, H4FRp3oo8dlriSoQ37Y.cs	High entropy of concatenated method names: 'VH9SP8dwBj', 'fBWSzPx27j', 'P1AkmeapH7', 'HuFkoi7VvI', 'DvAk4wqs0p', 'G6XkCIldM2', 'uK1k9duShK', 'KuekYTGTXa', 'V6ZkGDE5pO', 'cWMklUhJKc'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, z1UvdTJqWj3XUVxL82.cs	High entropy of concatenated method names: 'oOyT7cqARC', 'zINTf6f3xY', 'ToString', 'CFWTG46gvR', 'H1KTlEXIsA', 'bHZTLTQexC', 'AgpTdnpcpB', 'MScTDymkyD', 'MIuTOsOMjr', 'ocJTMS6dZN'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, WDaJ0bwLu1dtqAT27O.cs	High entropy of concatenated method names: 'ToString', 'Fcfg1liQVV', 'onGg6uvvgo', 'rNtgxKGoPC', 'yvRgiWvEAC', 'WEfgjDHQJG', 'CKHgIKwVNv', 'ji5gcq51b0', 'x1sgnBUyKs', 'T35g3E7xKk'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, mcELAGybYqYAornhmC.cs	High entropy of concatenated method names: 'QFQrupacJL', 'IHHrB2KZ55', 'nRtrX73lM9', 'eTNr6Loq2j', 'LK2riZLVZu', 'IEwrjqp3vf', 'KVBrc9wbyf', 'abKrnFAEHh', 'bZ5rAma7VI', 'uAPr1jH6k3'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, K8x27AzHjEaNYk7LDO.cs	High entropy of concatenated method names: 'rp9St3VgDw', 'hyaSupV9EW', 'XMQSB23y79', 'AHKSXn5dJE', 'HkoS6FtPSW', 'FthSiECHno', 'mXISjMQn2c', 'wLsSHkwQZw', 'hp5SKwob3j', 'fk1S8xRiRT'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, DI9ybLMufZZilrU6Wq.cs	High entropy of concatenated method names: 'CpeCYvNZBC', 'LoTCGw90B4', 'vKiClNB8qY', 'qNdCLSqi7I', 'kPoCdeg8q9', 'Lc0CDLLuwT', 'cW7COMZR83', 'pMLCMURFoS', 'PVwCaKV2mx', 'AesC7WeOjy'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, BZ7ryAigp7mIwggcV4.cs	High entropy of concatenated method names: 'r9tDHCjRvt', 'kLEDKd9IOB', 'aZwDWOff0e', 'SoUDhPQusr', 'vA5DtJAL7K', 'gkDDv14mZh', 'WpbDBdQyWd', 'a5gDqQ1sJJ', 'RtXQMHHTNALhICXweSN', 'p20xVFHj71WXANIGXo2'
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.42d0c80.7.raw.unpack, tJkDMINLg0FRx0akIs.cs	High entropy of concatenated method names: 'PHdEXHWUXI', 'qNYE66vgXE', 'd4GExCiqJQ', 'zCEEiv9Dwk', 'J0tEjvTcX9', 'wJ6EInMhJi', 'dUeEcCdecc', 'piiEn6H3XH', 'WVFE3qOFHh', 'auaEA4B9WW'

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	File created: \mv arkadiy chernyshevcall for disch logs 8000cbms_pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

File created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 4F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 5F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 60A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 70A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: AEF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: BEF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: C380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: D380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 4670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 4D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 5D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 5E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 6E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: B720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: BBB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 1300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory allocated: 4E40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5958	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 902	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7227	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 976	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5552	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 5324	Thread sleep time: -90000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: svchost.exe, 0000000A.00000002.2392478137.0000018FD282B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000003.1611597359.00000274D9339000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000002.1612128110.00000274D9339000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 0000000A.00000002.2393988540.0000018FD804F000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000003.1611151400.00000274D938D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000003.1323184285.00000274D938D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000003.1323821325.00000274D938D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000003.1322836479.00000274D938D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000014.00000002.1612128110.00000274D938D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FCYBBfGXQ.exe, 0000000D.00000002.2390930697.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2392238809.0000000001106000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Code function: 7_2_052C0AB8 LdrInitializeThunk,LdrInitializeThunk,

7_2_052C0AB8

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Memory written: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Memory written: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Process created: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Process created: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FCYBBfGXQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2390271872.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 1628, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394209871.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2394126088.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 1628, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FCYBBfGXQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2390271872.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 1628, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3ebd530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.43a5f58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FCYBBfGXQ.exe.3675570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.438f138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe PID: 8188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FCYBBfGXQ.exe PID: 7508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	43 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	37%	ReversingLabs	Win32.Trojan.Generic
Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	100%	Avira	HEUR/AGEN.1306911

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	100%	Avira	HEUR/AGEN.1306911
C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe	37%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
https://reallyfreegeoip.orgX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.10.dr, qmgr.db.10.dr	false		high
http://www.fontbureau.com/designers	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.1364883770.000002653A270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364159071.000002653A25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363931769.000002653A26E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.typography.netD	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.10.dr, qmgr.db.10.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.10.dr, qmgr.db.10.dr	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1188650346.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1231356862.00000000026BE000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.1364694018.000002653A213000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364159071.000002653A25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000A.00000003.1203809769.0000018FD7E62000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364865307.000002653A268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000E.00000003.1363888996.000002653A275000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364904290.000002653A277000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364865307.000002653A268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364011021.000002653A267000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000002.1364735087.000002653A22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.1364175134.000002653A249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.1364190854.000002653A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 0000000A.00000002.2393825306.0000018FD8000000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.1364175134.000002653A249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000000E.00000002.1364813080.000002653A259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.orgX	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000002.1364778121.000002653A242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000000A.00000003.1203809769.0000018FD7E62000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr	false		high
http://checkip.dyndns.comd	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2394209871.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 0000000D.00000002.2394126088.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1194514070.0000000008E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 0000000E.00000002.1364813080.000002653A259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000E.00000003.1364110561.000002653A258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe, 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, FCYBBfGXQ.exe, 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.1364883770.000002653A270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363931769.000002653A26E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.1364227661.000002653A231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364028882.000002653A262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1364847121.000002653A263000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637714
Start date and time:	2025-03-13 21:16:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/24@2/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 165 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212, 13.85.23.206, 4.175.87.197, 20.3.187.198
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target FCYBBfGXQ.exe, PID 1628 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:17:10	API Interceptor	1x Sleep call for process: Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe modified
16:17:12	API Interceptor	28x Sleep call for process: powershell.exe modified
16:17:15	API Interceptor	1x Sleep call for process: FCYBBfGXQ.exe modified
16:17:16	API Interceptor	2x Sleep call for process: svchost.exe modified
16:17:28	API Interceptor	3x Sleep call for process: SIHClient.exe modified
20:17:14	Task Scheduler	Run new task: FCYBBfGXQ path: C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	uyqMsPsOG1.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	7uUGimQipu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	xWApJIM4Ma.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	77MmBkD2PE.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	ZV6c9EEXXN.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
104.21.16.1	https://t.co/6BJID9q49h	Get hash	malicious	HTMLPhisher	Browse	tcerfw.wittnng.sbs/favicon.ico
	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	Notice Letter 2025 03 12 02930920.docs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	Bank Swift Payment.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.32.1
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
checkip.dyndns.com	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Notice Letter 2025 03 12 02930920.docs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Bank Swift Payment.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://empenhoead.com.br/nn/new/rdp	Get hash	malicious	Unknown	Browse	104.18.95.41
	Secure Email for Transferring Files.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	73aeaf.msi	Get hash	malicious	Unknown	Browse	172.67.183.127
	https://sbperu.net/	Get hash	malicious	Unknown	Browse	1.1.1.1
	40d4ec.msi	Get hash	malicious	Unknown	Browse	104.21.80.136
	http://allstarteventsmiami.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Call_Playback_relay-Dbee.svg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://txkowjl.vk.com/away.php?to=https%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpcs%2Fclick%3Fadurl%3Dhttps%3A%2F%2Fibm2r03lv6.cleanfuel.africa%3F_t%3DbnBkL2xvYmN4cHNzYkFzZnRwbi91c3ZsMGZvam4wYmRqc2diL21mdmdvYmZtZC83d200MXMwMDt0cXV1aQ	Get hash	malicious	Unknown	Browse	1.1.1.1
	attach.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://trans-verification.com.es/nn/	Get hash	malicious	Unknown	Browse	104.21.52.54
UTMEMUS	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Notice Letter 2025 03 12 02930920.docs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	Bank Swift Payment.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Order 20201103.exe	Get hash	malicious	RedLine	Browse	104.21.16.1
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073583275989233
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrD:KooCEYhgYEL0In
MD5:	1A7A89BB701473D61C62929780A201FC
SHA1:	DB87F41DC7BECB3AA2FF63631C081BDD4DCA3627
SHA-256:	44CF0D9965975A1EDED4E7B99D96EBB8C7294793FF1C1EE55E8D5F890AEF94F0
SHA-512:	FB128E14FF7CF541CD2F7E54809FFD7ABEB523340FE23779DCE91B67A9FF78E31FD0DEBE934802291F2A5F5AA37D7D68A6A9B6C992EAA82B20ED59D990FC92A2
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x245ffd0b, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221245162378203
Encrypted:	false
SSDEEP:	1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
MD5:	2EDF63E5ABD9B3203CD84DEDC46B7CC8
SHA1:	CC3341BCF2B64DF025B30134A803DB056AA98561
SHA-256:	BEC8DED0D86F4B53DF711DE5CF82B28BB1C114D943D31673E7861FBFBCE89F3B
SHA-512:	0C68967FC2E30D43ADA42719A6CD5E4E1834DF18DB50BBB5A0CFAAB2041402C81343FFDB2B3909B1ABFBF699A80E87156D137394354A381150C8D0E36905F1D6
Malicious:	false
Preview:	$_..... .......A.......X\...;...{......................0.!..........{A......}a.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..........................................}a.................t\NG.....}a..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07690047297467484
Encrypted:	false
SSDEEP:	3:bjUYeCVmYI+xjn13a/xi10pPlXlollcVO/lnlZMxZNQl:bjUz5Gx53qk10eOewk
MD5:	B299D46569E399E61701CA22510D3C02
SHA1:	3396A6D21E1D272A6C94C185292043B8C35ECD74
SHA-256:	FA48C53C277B07D23F7E8B326D82BC7BE93AA2C6494F371FDA84ADA2CCDA1BA7
SHA-512:	247E6AAFAA26DDC20512F060F999962E3CD08410F79818AFC4FADF484C1A4B903222E2475ED3392B4AC61EAA4DD9079DF062865345DEABBBF691954564508EC2
Malicious:	false
Preview:	G..E.....................................;...{.......}a......{A..............{A......{A..........{A]................t\NG.....}a.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FCYBBfGXQ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeoM0Uyus:fLHxvCZfIfSKRHmOugU1s
MD5:	1184C606880117E24D37548B9BDB837C
SHA1:	7472E8297E7CD73D8842C0DA7DFB97FC8C69A9C0
SHA-256:	EF773935D240A76C87E735B78322EBA75DA136154A6E45176675B7F039E13DEF
SHA-512:	B20C31BD3FB4315518EA866D80B4A5E37A520B227496C48623A8DF9843BA705C50E674E1607E8DE02F462E228FB62A1AFE048E93D393EF413821DE55E3637978
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfwloyo1.qs2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gskcg04b.z5c.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlp0r2oo.mtr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muez1x5u.ot3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1amlst4.y0l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rccnd32y.2s3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uom0tfnt.4w1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtltztoy.1s5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp

Download File

Process:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.124897158136994
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaDEoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTQEIv
MD5:	642D44E1F24A0C19C930A7E51CBF881E
SHA1:	72F14E86DB7820CF0F9FB7D0C018D49EE6D405BB
SHA-256:	3C455ACD35EF19CED8BBCB035E929B5F0066DF6F7B22FE76D6786C9F9A85600E
SHA-512:	A0026392E8DA2402E1BE6B8B90960324DC3F8FE05678DB5F7989997EE589851FEB7F3DD80068DA7AAFF36AA7E2A20EC4C97322E0C91F86DD321F9FB5165B0F0D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpCD04.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.124897158136994
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaDEoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTQEIv
MD5:	642D44E1F24A0C19C930A7E51CBF881E
SHA1:	72F14E86DB7820CF0F9FB7D0C018D49EE6D405BB
SHA-256:	3C455ACD35EF19CED8BBCB035E929B5F0066DF6F7B22FE76D6786C9F9A85600E
SHA-512:	A0026392E8DA2402E1BE6B8B90960324DC3F8FE05678DB5F7989997EE589851FEB7F3DD80068DA7AAFF36AA7E2A20EC4C97322E0C91F86DD321F9FB5165B0F0D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Download File

Process:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	582656
Entropy (8bit):	7.717537978403145
Encrypted:	false
SSDEEP:	12288:C5H5MOiV19XrPwuEHGq6zkQnOtMIa60xXM6NYJ58OKnEtoW:Cd5MOiX97+mPoQmMG0x5Ns58OL
MD5:	E160DE033812EB66EF818EF415E8FF84
SHA1:	DA4D6E7AD211D7A7DB5E39002BD4F972C530013D
SHA-256:	1827DFEE3F5DB9C0924437EBC91434D916F36F7ED1BE8B643D2DF2FB9D7E07DB
SHA-512:	2EDE508BC4BE31D77A472181AE3E7C520B6330282A4C29B6595B8E7BD1BF7B9AEA5F033130BD53CB4875EC102913932B5EC0AF8D8077DFF7F7F2353F560561FD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g..............0...... ........... ........@.. .......................@............`.................................D...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......p...............h....<.............................................^..4;..Vr..FOl.=.u.%>...{N..? .Y_..fx[Q.......`Y$....1........t,.........]....Ylt...OJ.Px.8...sU..............O....JmG.\|.c..~...mZ.4..j1.8e..=m......U{R..0W.*.A!...DO...?...l....)..,X..5..-.S.h. ..B.f..6.....I..t.4....&k..........{).......D..p...Q.+q...o ..N.h8D.?..q..)0.-..v...i.......u.z.En..E....&<.-.+.Q.<D%..).Zx.........e@...=9.. .)e..wfbnw.Y.V....X....th....T0X4~....'^X#....

C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Logs\SIH\SIH.20250313.161725.055.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.273501324012416
Encrypted:	false
SSDEEP:	192:WYauGUK9rWF3nXpXiX0cHXrXqXdbqXxXWXCD05UUtR:WOGUK9rWF3nXpXiX0KXrXqXdmXxXWXCQ
MD5:	F76A104EC255E895E818A612302C8134
SHA1:	07E8037415646A04D5CEED0A6C6A0677E4377521
SHA-256:	1F3302EF4F59272E11EE46B01186F6BF4CEFA04575E175C93301A5B29549A315
SHA-512:	8A5A504CC32044547A8B118A7455DB07B93B0271D233FB8929FADB58A1271DC180BC9BC0EEB05F9D3867519A8730CAD7234F72D5F7B2D4B6722C8C9724D697FD
Malicious:	false
Preview:	....P...P.......................................P...!......................................M....................eJ.......A.U...Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................1L...........y.Q.T...........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.3.1.3...1.6.1.7.2.5...0.5.5...1...e.t.l.......P.P............M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPC40C.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP1DA1.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.717537978403145
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
File size:	582'656 bytes
MD5:	e160de033812eb66ef818ef415e8ff84
SHA1:	da4d6e7ad211d7a7db5e39002bd4f972c530013d
SHA256:	1827dfee3f5db9c0924437ebc91434d916f36f7ed1be8b643d2df2fb9d7e07db
SHA512:	2ede508bc4be31d77a472181ae3e7c520b6330282a4c29b6595b8e7bd1bf7b9aea5f033130bd53cb4875ec102913932b5ec0af8d8077dff7f7f2353f560561fd
SSDEEP:	12288:C5H5MOiV19XrPwuEHGq6zkQnOtMIa60xXM6NYJ58OKnEtoW:Cd5MOiX97+mPoQmMG0x5Ns58OL
TLSH:	A1C4DF987644B59FC897C9728E64ED30A2216D7B9207D343D4E72EEB790D1ABDF001E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g..............0...... ........... ........@.. .......................@............`................................

File Icon


Icon Hash:	c490e8cccce890cc

Static PE Info

General

Entrypoint:	0x48e19e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D2B973 [Thu Mar 13 10:54:43 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e144	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x1de8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8c1a4	0x8c200	4bd770f8a7ea5c7d4bf3c564a3ca0256	False	0.8641506606824264	data	7.723471960526681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x90000	0x1de8	0x1e00	616d14e0e7d84b58054331b846811500	False	0.877734375	data	7.488503402517861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	0b3c427884d393124cccbd61a9f8af1c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x900e8	0x19d1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9506733242548041
RT_GROUP_ICON	0x91abc	0x14	data	1.05
RT_VERSION	0x91ad0	0x314	data	0.434010152284264

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	WFBind.Demo
FileVersion	1.0.0.0
InternalName	xxSS.exe
LegalCopyright	Copyright 2016
LegalTrademarks
OriginalFilename	xxSS.exe
ProductName	WFBind.Demo
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T21:17:15.567716+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49720	132.226.8.169	80	TCP
2025-03-13T21:17:20.333351+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49724	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 21:17:13.778053045 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:13.783121109 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:13.783188105 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:13.783514023 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:13.788578033 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:14.636168957 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:14.640522003 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:14.645936012 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:15.495019913 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:15.512206078 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:15.512247086 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:15.512303114 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:15.530039072 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:15.530054092 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:15.567715883 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:16.743937016 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:16.744015932 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:16.749846935 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:16.749860048 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:16.750086069 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:16.819148064 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:16.864325047 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:17.264462948 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:17.264519930 CET	443	49721	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:17.264604092 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:17.274106026 CET	49721	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:17.997721910 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:18.002485037 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:18.002558947 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:18.002775908 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:18.007471085 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:18.990865946 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:18.994704008 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:18.999336004 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:20.281972885 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:17:20.285917997 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:20.285948038 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:20.286108971 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:20.290210009 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:20.290225029 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:20.333350897 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:17:21.746543884 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:21.746812105 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:21.748749971 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:21.748755932 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:21.749027967 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:21.792640924 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:21.812972069 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:21.860332012 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:22.343561888 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:22.343614101 CET	443	49726	104.21.16.1	192.168.2.4
Mar 13, 2025 21:17:22.343883991 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:22.346370935 CET	49726	443	192.168.2.4	104.21.16.1
Mar 13, 2025 21:17:54.450045109 CET	51613	53	192.168.2.4	162.159.36.2
Mar 13, 2025 21:17:54.454705954 CET	53	51613	162.159.36.2	192.168.2.4
Mar 13, 2025 21:17:54.454866886 CET	51613	53	192.168.2.4	162.159.36.2
Mar 13, 2025 21:17:54.454866886 CET	51613	53	192.168.2.4	162.159.36.2
Mar 13, 2025 21:17:54.459533930 CET	53	51613	162.159.36.2	192.168.2.4
Mar 13, 2025 21:17:54.918518066 CET	53	51613	162.159.36.2	192.168.2.4
Mar 13, 2025 21:17:54.919017076 CET	51613	53	192.168.2.4	162.159.36.2
Mar 13, 2025 21:17:54.923801899 CET	53	51613	162.159.36.2	192.168.2.4
Mar 13, 2025 21:17:54.923852921 CET	51613	53	192.168.2.4	162.159.36.2
Mar 13, 2025 21:18:20.497059107 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:18:20.497147083 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:18:25.283035994 CET	80	49724	132.226.8.169	192.168.2.4
Mar 13, 2025 21:18:25.283098936 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:18:55.505752087 CET	49720	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:18:55.510482073 CET	80	49720	132.226.8.169	192.168.2.4
Mar 13, 2025 21:19:00.287081957 CET	49724	80	192.168.2.4	132.226.8.169
Mar 13, 2025 21:19:00.291829109 CET	80	49724	132.226.8.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 21:17:13.763348103 CET	61752	53	192.168.2.4	1.1.1.1
Mar 13, 2025 21:17:13.770746946 CET	53	61752	1.1.1.1	192.168.2.4
Mar 13, 2025 21:17:15.503968954 CET	58056	53	192.168.2.4	1.1.1.1
Mar 13, 2025 21:17:15.511493921 CET	53	58056	1.1.1.1	192.168.2.4
Mar 13, 2025 21:17:54.449559927 CET	53	51531	162.159.36.2	192.168.2.4
Mar 13, 2025 21:17:55.031513929 CET	53	53276	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 21:17:13.763348103 CET	192.168.2.4	1.1.1.1	0x8631	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.503968954 CET	192.168.2.4	1.1.1.1	0x7730	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:13.770746946 CET	1.1.1.1	192.168.2.4	0x8631	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 21:17:15.511493921 CET	1.1.1.1	192.168.2.4	0x7730	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49720	132.226.8.169	80	8188	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 21:17:13.783514023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 21:17:14.636168957 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 21:17:14.640522003 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 21:17:15.495019913 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49724	132.226.8.169	80	1628	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 21:17:18.002775908 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 21:17:18.990865946 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 21:17:18.994704008 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 21:17:20.281972885 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49721	104.21.16.1	443	8188	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 20:17:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-13 20:17:17 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 19822 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 13 Mar 2025 14:46:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsaZdGfYOJ5KP7osIh1gc2sTMnA3Te8mGvsyDC4OKB3pMvIsxvUY4JcHS3hd9LmATryF6ogqU5qC9Ly0CuKojNjC0NAwORoHKbJ9bXG9DQZNr2ugeYJ2WvOe%2FjWwGrzIwDBxh2ul"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fe36c15f567418-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30783&min_rtt=29977&rtt_var=9013&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=95360&cwnd=32&unsent_bytes=0&cid=b81488a3c5c7558e&ts=490&x=0"
2025-03-13 20:17:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49726	104.21.16.1	443	1628	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 20:17:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-13 20:17:22 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 20:17:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 47308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 13 Mar 2025 07:08:53 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2FI7f5YL18r8FPJwRiLGWX2OnQd%2BMa2%2BY8B2fmSuGO2UaJVmJKAVBErdWYZI5cWF9xzv%2BMkD00l4KrLHjnDWaggxQNuIwamlhaSHvP5WVklSjO8C3%2FgAeqRjq6kWHMLGk2q37Ue7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fe36e16a0f41f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31502&min_rtt=30788&rtt_var=9897&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=85581&cwnd=32&unsent_bytes=0&cid=d1128bc13bc5aefa&ts=736&x=0"
2025-03-13 20:17:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	16:17:09
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Imagebase:	0x4f0000
File size:	582'656 bytes
MD5 hash:	E160DE033812EB66EF818EF415E8FF84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1189794518.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Imagebase:	0x1b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"
Imagebase:	0x1b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBBDE.tmp"
Imagebase:	0x800000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:17:11
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:17:12
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe"
Imagebase:	0x950000
File size:	582'656 bytes
MD5 hash:	E160DE033812EB66EF818EF415E8FF84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2390276147.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2394209871.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:17:14
Start date:	13/03/2025
Path:	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
Imagebase:	0x320000
File size:	582'656 bytes
MD5 hash:	E160DE033812EB66EF818EF415E8FF84
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1235446855.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1235446855.0000000003671000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:17:14
Start date:	13/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff75b8b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:17:15
Start date:	13/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	16:17:16
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCYBBfGXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD04.tmp"
Imagebase:	0x800000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:17:16
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:17:16
Start date:	13/03/2025
Path:	C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\FCYBBfGXQ.exe"
Imagebase:	0xa40000
File size:	582'656 bytes
MD5 hash:	E160DE033812EB66EF818EF415E8FF84
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000D.00000002.2390271872.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2394126088.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	16:17:22
Start date:	13/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:17:25
Start date:	13/03/2025
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv AYwrbjd6P0exK9ixJzgDPQ.0.2
Imagebase:	0x7ff62a090000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FCYBBfGXQ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfwloyo1.qs2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gskcg04b.z5c.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlp0r2oo.mtr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muez1x5u.ot3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1amlst4.y0l.ps1

Windows Analysis Report
Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe