Edit tour

Windows Analysis Report
theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Overview

General Information

Sample name:	theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe renamed because original name is a hash value
Original sample name:	theants-2.0.3-Setup-dkp3z.7x5ols.spqn44~x.exe
Analysis ID:	1639984
MD5:	ba000790d0759848b49131957f4b53e9
SHA1:	96651f44b2ccceae3d9429418253f3ace41a9544
SHA256:	1248bf51c48a4325bf5765060d16d36f7d787f283e61513b6fa025d1b37c8b4c
Tags:	exemalwaresalitytrojanvirususer-2huMarisa
Infos:

Detection

Sality

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Sality

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to inject threads in other processes

Disables UAC (registry)

Disables user account control notifications

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

May modify the system service descriptor table (often done to hook functions)

Modifies the windows firewall

Modifies the windows firewall notifications settings

PE file has a writeable .text section

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Stores large binary data to the registry

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe" MD5: BA000790D0759848B49131957F4B53E9)

fontdrvhost.exe (PID: 788 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

fontdrvhost.exe (PID: 796 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

dwm.exe (PID: 1000 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

sihost.exe (PID: 3444 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)

svchost.exe (PID: 3464 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3512 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ctfmon.exe (PID: 3800 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

theants.exe (PID: 2612 cmdline: "C:\Program Files\The Ants\theants.exe" MD5: 84679E7D0E4DB56B1DF2C065594E691A)

svchost.exe (PID: 3508 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

StartMenuExperienceHost.exe (PID: 4632 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)

RuntimeBroker.exe (PID: 4720 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

SearchApp.exe (PID: 4824 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)

RuntimeBroker.exe (PID: 5012 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

smartscreen.exe (PID: 4388 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)

backgroundTaskHost.exe (PID: 2752 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sality	F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.	Salty Spider	https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py https://unit42.paloaltonetworks.com/c2-traffic/ https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf https://www.cisa.gov/uscert/ncas/alerts/aa22-110a https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\winyisy.exe	INDICATOR_EXE_Packed_SimplePolyEngine	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality	ditekSHen	0x14:$b1: yrf<[LordPE] 0x210:$b2: Hello world!

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Sality	Yara detected Sality	Joe Security
Process Memory Space: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe PID: 5392	JoeSecurity_Sality	Yara detected Sality	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b2300.7.raw.unpack	INDICATOR_EXE_Packed_SimplePolyEngine	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality	ditekSHen	0x1b7c:$s1: Simple Poly Engine v 0x14:$b1: yrf<[LordPE] 0x210:$b2: Hello world!
0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.550d3e8.10.raw.unpack	INDICATOR_EXE_Packed_SimplePolyEngine	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality	ditekSHen	0x14:$b1: yrf<[LordPE] 0x210:$b2: Hello world!
0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b25f4.8.raw.unpack	INDICATOR_EXE_Packed_SimplePolyEngine	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality	ditekSHen	0x1888:$s1: Simple Poly Engine v
0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.2330000.6.unpack	JoeSecurity_Sality	Yara detected Sality	Joe Security
0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.2330000.6.unpack	INDICATOR_EXE_Packed_SimplePolyEngine	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality	ditekSHen	0x83e7c:$s1: Simple Poly Engine v 0x82314:$b1: yrf<[LordPE] 0x82510:$b2: Hello world!

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe", ParentImage: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, ParentProcessId: 5392, ParentProcessName: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3464, ProcessName: svchost.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, ProcessId: 5392, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe", ParentImage: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, ParentProcessId: 5392, ParentProcessName: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3464, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ankara-cambalkon.net/images/logo.gif	Avira URL Cloud: Label: malware
Source: http://www.akpartisariveliler.com/images/img.gif	Avira URL Cloud: Label: malware
Source: http://arimaexim.com/logo.gif	Avira URL Cloud: Label: malware
Source: http://kukutrustnet987.info/home.gif	Avira URL Cloud: Label: malware
Source: http://abb.ind.in/logo.gif	Avira URL Cloud: Label: malware
Source: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers	Avira URL Cloud: Label: phishing
Source: http://businecessity.com/logo.gif	Avira URL Cloud: Label: malware
Source: http://www.klkjwre9fqwieluoi.info/	Avira URL Cloud: Label: phishing
Source: http://kukutrustnet777888.info/DisableTaskMgrSoftware	Avira URL Cloud: Label: phishing
Source: http://amnisure.com.tr/images/logo.gif	Avira URL Cloud: Label: malware
Source: http://abb.ind.in/logo.gifhttp://www.akpartisariveliler.com/images/img.gif4j14/logo.gif	Avira URL Cloud: Label: malware
Source: http://yeni.antalyahilal.com/logo.gif	Avira URL Cloud: Label: malware
Source: http://bhagavatirannade.org/logo.gif	Avira URL Cloud: Label: malware
Source: http://aocuoikhanhlinh.vn/images/logo.gif	Avira URL Cloud: Label: malware
Source: http://businecessity.com/logo.gifhttp://al-somow.com/images/logo.gifhttp://amnisure.com.tr/images/lo	Avira URL Cloud: Label: malware
Source: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif	Avira URL Cloud: Label: malware
Source: http://kukutrustnet777.info/home.gif	Avira URL Cloud: Label: malware
Source: http://kukutrustnet888.info/home.gif	Avira URL Cloud: Label: malware
Source: http://al-somow.com/images/logo.gif	Avira URL Cloud: Label: malware
Source: http://kukutrustnet777888.info/	Avira URL Cloud: Label: phishing
Source: http://89.119.67.154/testo5/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\winyisy.exe

Avira: detection malicious, Label: W32/Sality.AT

Multi AV Scanner detection for submitted file

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Virustotal: Detection: 84%			Perma Link
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	ReversingLabs: Detection: 91%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.4% probability

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\theants.exe	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\core	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\config	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\config\package.conf	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\core\restart.bat	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\core\restart.vbs	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\128x128.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\128x128@2x.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\32x32.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\48x48.ico	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square107x107Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square142x142Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square150x150Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square284x284Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square30x30Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square310x310Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square44x44Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square71x71Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\Square89x89Logo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\StoreLogo.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\icon.icns	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\icon.ico	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\icons\icon.png	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Directory created: C:\Program Files\The Ants\official.txt	Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Ants

Source: Yara match	File source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.2330000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe PID: 5392, type: MEMORYSTR

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File opened: e:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: c:	Jump to behavior

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: [AutoRun]
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns0MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_90833SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly Engine v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMBhttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV Engineavast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVENGINE.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRAY.CL

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0233BADD Sleep,FindFirstFileA,FindNextFileA,FindClose,Sleep,	0_2_0233BADD
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_023357A0 FindFirstFileA,FindNextFileA,Sleep,	0_2_023357A0

Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 2.23.227.215 2.23.227.215

Source: global traffic	TCP traffic: 192.168.2.8:49675 -> 2.23.227.215:443
Source: global traffic	TCP traffic: 192.168.2.8:49671 -> 204.79.197.203:443

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443

Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b2300.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.550d3e8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b25f4.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.2330000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\winyisy.exe, type: DROPPED	Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: winyisy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://89.119.67.154/testo5/
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.0000000000588000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://abb.ind.in/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.0000000000588000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://abb.ind.in/logo.gifhttp://www.akpartisariveliler.com/images/img.gif4j14/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://al-somow.com/images/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://amnisure.com.tr/images/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ankara-cambalkon.net/images/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://aocuoikhanhlinh.vn/images/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://arimaexim.com/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://bhagavatirannade.org/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://businecessity.com/logo.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2755104088.000000000047F000.00000040.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2769734758.0000000000953000.00000004.10000000.00040000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023A5000.00000040.00001000.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.0000000002318000.00000004.00000010.00020000.00000000.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2774551583.000000000231E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://businecessity.com/logo.gifhttp://al-somow.com/images/logo.gifhttp://amnisure.com.tr/images/lo
Source: explorer.exe, 00000009.00000003.2676873302.000000000745A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.942805255.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2745781803.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.934343024.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2801228850.000000000745D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2676745326.0000000007459000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000007.00000000.921621744.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2775988564.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.1025533731.000002A64C26D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorer.exe, 00000009.00000003.2676873302.000000000745A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.942805255.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2745781803.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.934343024.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2801228850.000000000745D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2676745326.0000000007459000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000000.921621744.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2775988564.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.1025533731.000002A64C26D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SearchApp.exe, 0000000D.00000000.1057310366.000002A660A7A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SearchApp.exe, 0000000D.00000000.1067390094.000002A661823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4889186
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dummy.testC:
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kukutrustnet777.info/home.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kukutrustnet777888.info/
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kukutrustnet888.info/home.gif
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2776830876.00000000023B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kukutrustnet987.info/home.gif
Source: StartMenuExperienceHost.exe, 0000000B.00000002.2777382431.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000B.00000000.963808517.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0p
Source: StartMenuExperienceHost.exe, 0000000B.00000002.2777382431.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000B.00000000.963808517.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0
Source: StartMenuExperienceHost.exe, 0000000B.00000002.2777382431.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000B.00000000.963808517.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hoP
Source: StartMenuExperienceHost.exe, 0000000B.00000002.2777382431.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000B.00000000.963808517.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adora
Source: RuntimeBroker.exe, 0000000C.00000002.2760991469.0000028DCDD0D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000000.990061497.0000028DCDD0D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/qH
Source: StartMenuExperienceHost.exe, 0000000B.00000002.2777382431.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000B.00000000.963808517.0000019615BD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.ph1
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000000.880929645.0000000000408000.00000008.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2748859971.000000000040A000.00000004.00000001.01000000.00000003.sdmp, theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2790836053.000000000445C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.921621744.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2775988564.0000010752DA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2676873302.000000000745A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.942805255.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2745781803.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.934343024.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2801228850.000000000745D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2676745326.0000000007459000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.1025533731.000002A64C26D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F408	0_2_0047F408
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F227	0_2_0047F227
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F22C	0_2_0047F22C
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F63B	0_2_0047F63B
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F6D0	0_2_0047F6D0
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F2EB	0_2_0047F2EB
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F8FD	0_2_0047F8FD
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F6FB	0_2_0047F6FB
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F2B4	0_2_0047F2B4
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F55E	0_2_0047F55E
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F13D	0_2_0047F13D
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F3C8	0_2_0047F3C8
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F7FF	0_2_0047F7FF
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F585	0_2_0047F585
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_02339652	0_2_02339652
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_023422A0	0_2_023422A0
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_02336A85	0_2_02336A85

Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b2300.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.550d3e8.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.23b25f4.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Source: 0.2.theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe.2330000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Source: C:\Users\user\AppData\Local\Temp\winyisy.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403640
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0233CC92 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,		0_2_0233CC92

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2592_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2560_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2584_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4892_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1996_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2532_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1512_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4020_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2940_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1128_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_492_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_5804_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3512_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\searchapp.exeM_4824_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_976_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_6036_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1680_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1284_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1820_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2256_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\explorer.exeM_4056_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_936_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4392_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3988_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\dashost.exeM_4432_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_344_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_556_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1828_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3508_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\startmenuexperiencehost.exeM_4632_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4720_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_788_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1196_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2956_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1144_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1112_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1156_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_404_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_604_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1532_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_636_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5012_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\smartscreen.exeM_4388_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2388_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1348_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2376_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\smss.exeM_324_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_796_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_784_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_368_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1076_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3760_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5312_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2668_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_392_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1444_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2208_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5796_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_764_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4108_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1616_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_484_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2012_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\registryM_92_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2004_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2464_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1624_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_728_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5868_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3328_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3736_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\services.exeM_628_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\memory compressionM_1500_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2492_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\sihost.exeM_3444_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3464_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\spoolsv.exeM_2168_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\officeclicktorun.exeM_2548_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2736_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\ctfmon.exeM_3800_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\backgroundtaskhost.exeM_2752_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_1000_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1356_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5160_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_884_
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1372_

Source: unknown	Process created: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe "C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\The Ants\theants.exe "C:\Program Files\The Ants\theants.exe"
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process created: C:\Program Files\The Ants\theants.exe "C:\Program Files\The Ants\theants.exe"	Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: contentdeliverymanager.utilities.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: iertutil.dll	Jump to behavior

Source: The Ants.lnk.0.dr	LNK file: ..\..\..\Program Files\The Ants\theants.exe
Source: The Ants.lnk0.0.dr	LNK file: ..\..\..\..\..\Program Files\The Ants\theants.exe

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Automated click: Next >
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Automated click: Next >
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Automated click: Next >

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0047F999 push esp; retf	0_2_0047F9B3
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_02343600 push eax; ret	0_2_0234362E
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Code function: 0_2_0233072E push eax; iretd	0_2_0233072F

Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Static PE information: section name: .rsrc entropy: 7.936594467672057
Source: winyisy.exe.0.dr	Static PE information: section name: .text entropy: 7.987829892954023

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Users\user\AppData\Local\Temp\003AD69F_Rar\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Program Files\The Ants\theants.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Program Files\The Ants\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Users\user\AppData\Local\Temp\winyisy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File created: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\nsis_tauri_utils.dll	Jump to dropped file

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-12269
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-12269

Source: SearchApp.exe, 0000000D.00000003.1045696308.0000029E49F1D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE11976
Source: SearchApp.exe, 0000000D.00000000.1071904095.000002A662313000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE
Source: SearchApp.exe, 0000000D.00000000.1071904095.000002A662313000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SAS\JMP\14\JMP.EXE12026{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\CITAVI 5\BIN\CITAVI.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\ROBO 3T 1.1.1\ROBO3T.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE
Source: SearchApp.exe, 0000000D.00000003.1045696308.0000029E49F1D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SYSPROGS\SMARTTY\SMARTTY.EXE11975{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Z8GAMES\CROSSFIRE\PATCHER_CF.EXE1198830067IRFANSKILJANIRFANVIE.IRFANVIEW64_PSGEC73N2N7NE!IRFANVIEW64APP11990{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE11976
Source: SearchApp.exe, 0000000D.00000003.1044858675.000002A661BA2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1045143229.000002A661BA8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179
Source: SearchApp.exe, 0000000D.00000000.1071904095.000002A662313000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\GIMP 2\BIN\GIMP-2.8.EXEMICROSOFT.PPIPROJECTION_CW5N1H2TXYEWY!MICROSOFT.PPIPROJECTION{6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\KODI\KODI.EXE
Source: SearchApp.exe, 0000000D.00000003.1044858675.000002A661BA2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1045143229.000002A661BA8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1046233870.000002A661BB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE12392
Source: SearchApp.exe, 0000000D.00000000.1071904095.000002A662313000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE
Source: SearchApp.exe, 0000000D.00000003.1044858675.000002A661BA2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1045143229.000002A661BA8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE11328
Source: SearchApp.exe, 0000000D.00000000.1071904095.000002A662313000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\003AD69F_Rar\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Program Files\The Ants\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winyisy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssD8A4.tmp\nsis_tauri_utils.dll	Jump to dropped file

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe TID: 5400	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe TID: 5724	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe TID: 3016	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sihost.exe TID: 7444	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File Volume queried: C:\Program Files FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	File Volume queried: C:\Program Files FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Thread delayed: delay time: 300000	Jump to behavior

Source: dwm.exe, 00000004.00000000.889178985.00000233F4010000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareSATA_CDs
Source: explorer.exe, 00000009.00000002.2816555937.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.945364717.00000000095B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt mouse
Source: explorer.exe, 00000009.00000000.941254805.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001
Source: SearchApp.exe, 0000000D.00000000.1068812737.000002A661BC2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe
Source: svchost.exe, 00000007.00000000.921696010.0000010752DAA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.921356988.0000010752D0A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2777433412.0000010752DAA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2771111409.0000010752D00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.945364717.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2816555937.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.945364717.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2816555937.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2676132077.0000000009741000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SearchApp.exe, 0000000D.00000000.1071949633.000002A662324000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038P
Source: explorer.exe, 00000009.00000003.2675228293.0000000009836000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SearchApp.exe, 0000000D.00000000.1071949633.000002A662324000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894b
Source: SearchApp.exe, 0000000D.00000000.1073969284.000002A6626C8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.View.Client
Source: SearchApp.exe, 0000000D.00000000.1073969284.000002A6626C8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Ignition\IgnitionCasino.exeVMware.View.Client12451
Source: SearchApp.exe, 0000000D.00000003.1142903407.000002A6623F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Horizon.Client462
Source: dwm.exe, 00000004.00000002.2780650541.00000233F4074000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe, 00000000.00000002.2760156320.0000000000588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: explorer.exe, 00000009.00000000.946334289.00000000098F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}CA
Source: explorer.exe, 00000009.00000002.2766661950.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000bb'
Source: SearchApp.exe, 0000000D.00000000.1071949633.000002A662324000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438\|voice recorder\|voice recording8034
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394
Source: explorer.exe, 00000009.00000003.2676132077.0000000009741000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00_
Source: svchost.exe, 00000006.00000002.2753305017.000001C557CAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;n
Source: SearchApp.exe, 0000000D.00000000.1071949633.000002A662324000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459b
Source: explorer.exe, 00000009.00000000.941254805.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: SearchApp.exe, 0000000D.00000003.1143659745.000002A661BED000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1044973049.000002A661BE4000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1046146435.000002A661BE8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135256316.000002A661BE6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MP3Gain\MP3GainGUI.exe{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\services.msc{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Avid\iNEWS\ANWS.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SAP\NWBC65\NWBC.exe
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|vmware6886
Source: SearchApp.exe, 0000000D.00000000.1072443420.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1137139872.000002A661C23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1048717133.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|vm4595
Source: SearchApp.exe, 0000000D.00000003.1139818461.000002A662644000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|*\|qemu10642
Source: SearchApp.exe, 0000000D.00000003.1142903407.000002A6623F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Horizon.Client
Source: explorer.exe, 00000009.00000002.2820062779.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vmare7220
Source: RuntimeBroker.exe, 0000000C.00000000.988977417.0000028DCDC58000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchApp.exe, 0000000D.00000003.1140461417.000002A6626E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|chrome655\|heroes of the storm\|heros4494\|hourly analysis program 5.01\|hap1\|hourly analysis program 5.10\|hap1\|hourly analysis program 5.11\|hap114\|google chrome\|goole chrome12691\|google chrome\|chchrome12839\|grand theft auto vice city\|gta1\|hearts of iron iv man the guns\|hoi42522\|hourly analysis program 4.90\|hap375\|hp scan and capture\|hpscan6530\|hp support assistant\|hp ass4184\|google chrome\|google crhome13085\|google chrome\|google.com6973\|groove music\|play music6857\|google chrome\|googe chrome13035\|google earth pro\|googleearth7849\|herramienta recortes\|sni2296\|hourly analysis program 4.50\|hap1\|google chrome\|open chrome11712\|google chrome\|google hrome12903\|ibm integration toolkit 10.0.0.11\|iib1\|internet download accelerator\|ida842\|ibm notes (basic)\|lotus3079\|internet download manager\|idman7834\|internet download manager\|idmm8541\|hpe unified functional testing\|uft1\|income tax planner workstation\|bna1\|import passwords\|lastpass1242\|i.r.i.s. ocr registration\|iris1117\|ibm integration toolkit 10.0.0.13\|iib1\|ic business manager\|icb1577\|idle (python 3.7 32-bit)\|idel6028\|hyper-v manager\|virtual5441\|hpe content manager\|trim1743\|image composite editor\|ice852\|instrument de decupare\|snipp3115\|hp unified functional testing\|uft1\|hp support assistant\|hps5179\|huawei operation & maintenance system\|lmt1\|hpe records manager\|trim1399\|integrated operations system\|ios1\|intel(r) extreme tuning utility\|xtu1972\|integrated dealer systems - g2\|ids1249\|interaction administrator\|ia2559\|ibm integration toolkit 10.0.0.12\|iib1\|ibm integration toolkit 10.0.0.10\|iib1\|hyper-v manager\|hyper v4919\|ibm integration toolkit 10.0.0.15\|iib1\|ibm integration toolkit 10.0.0.7\|iib403\|idle (python 3.7 64-bit)\|idel5996\|idle (python gui)\|python idle5336\|integrated architecture builder\|iab1\|internet explorer\|internet exlorer12367\|internet explorer\|internet exporer11529\|internet explorer\|internetexplorer11135\|internet download manager\|don8066\|internet explorer\|microsoft inter12883\|internet explorer\|iexplorer.exe12640\|internet explorer\|iexplore.exe10131\|internet explorer\|internet exo12692\|internet explorer\|enternet explorer12262\|internet download manager\|imd6996\|internet explorer\|internet browser12498\|internet download manager\|intr7920\|internet download manager\|ine9116\|internet explorer\|interenet explorer12754\|internet explorer\|interner explorer12898\|internet explorer\|internet explorr12778\|internet explorer\|explorer 1112728\|internet explorer\|internet explorere10177\|internet explorer\|web browser12850\|internet explorer\|inernet explorer12324\|internet explorer\|interent explorer12236\|internet download manager\|ib8855\|internet explorer\|internet exployer11237\|internet explorer\|internet expolorer12620\|internet exp
Source: explorer.exe, 00000009.00000002.2745781803.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438
Source: SearchApp.exe, 0000000D.00000000.1058227149.000002A660AC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe12207eI
Source: svchost.exe, 00000006.00000002.2753305017.000001C557CAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: SearchApp.exe, 0000000D.00000000.1072443420.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1137139872.000002A661C23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1048717133.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|qemu10642
Source: SearchApp.exe, 0000000D.00000003.1142903407.000002A6623F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\xampp\xampp-control.exe7019VMware.Workstation.vmui
Source: svchost.exe, 00000006.00000002.2753305017.000001C557CAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
Source: SearchApp.exe, 0000000D.00000000.1072443420.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1137139872.000002A661C23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1048717133.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyperv4178
Source: dwm.exe, 00000004.00000000.889178985.00000233F40EB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00\4&224f42ef&0&000000r
Source: SearchApp.exe, 0000000D.00000003.1142903407.000002A6623F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmui
Source: explorer.exe, 00000009.00000000.934343024.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o
Source: SearchApp.exe, 0000000D.00000000.1072443420.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1137139872.000002A661C23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1140461417.000002A6626E5000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1048717133.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|virtual5441
Source: svchost.exe, 00000006.00000000.917554438.000001C557C8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2751956503.000001C557C8E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SearchApp.exe, 0000000D.00000003.1143659745.000002A661BED000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1044973049.000002A661BE4000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1046146435.000002A661BE8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135256316.000002A661BE6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe
Source: SearchApp.exe, 0000000D.00000003.1046233870.000002A661BB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe12004
Source: SearchApp.exe, 0000000D.00000003.1142903407.000002A6623F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmplayer
Source: explorer.exe, 00000009.00000002.2820062779.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: SearchApp.exe, 0000000D.00000000.1058227149.000002A660AC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe12207el
Source: explorer.exe, 00000009.00000003.2675228293.0000000009836000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000003.2676998808.000000000C219000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATAni
Source: explorer.exe, 00000009.00000000.934343024.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000_
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vspe6388
Source: SearchApp.exe, 0000000D.00000003.1046146435.000002A661BE8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App11496
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894
Source: SearchApp.exe, 0000000D.00000000.1072443420.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1137139872.000002A661C23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1140461417.000002A6626E5000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1048717133.000002A6623B2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyper v4919
Source: SearchApp.exe, 0000000D.00000000.1058227149.000002A660AC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
Source: explorer.exe, 00000009.00000002.2820062779.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: SearchApp.exe, 0000000D.00000003.1046045664.000002A661829000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe12207
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|view5503
Source: svchost.exe, 00000006.00000002.2753305017.000001C557CAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: SearchApp.exe, 0000000D.00000000.1071949633.000002A662324000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394P
Source: explorer.exe, 00000009.00000000.934343024.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ji
Source: SearchApp.exe, 0000000D.00000000.1069885865.000002A661D77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: MSAFD RfComm [Bluetooth]Hyper-V RAW
Source: SearchApp.exe, 0000000D.00000003.1135955732.000002A661C9F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038
Source: dwm.exe, 00000004.00000000.889178985.00000233F4010000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000