Edit tour

Windows Analysis Report
#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Overview

General Information

Sample name:	#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1640090
MD5:	5f3d1f1e17afc55fd804807831cb837c
SHA1:	120e0c815da5bb2fd03e7cc582c81ee70e1ddab9
SHA256:	0c06255e9c03f387f96c7a225b6b8f39021b1d03976e9764fa2adf7d46e9cc6a
Tags:	exesalityvirususer-2huMarisa
Infos:

Detection

Score:	45
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Query firmware table information (likely to detect VMs)

Detected non-DNS traffic on DNS port

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe" MD5: 5F3D1F1E17AFC55FD804807831CB837C)

explorer.exe (PID: 7112 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 2328 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 3188 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 3380 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 904 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4256 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 636 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4324 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4384 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 5500 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4088 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4972 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7068 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4348 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 1428 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4320 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4844 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7228 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7372 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7508 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7572 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7728 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7852 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7900 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7988 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 8020 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7124 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2864 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 4504 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 7584 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Virustotal: Detection: 76%			Perma Link
Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	ReversingLabs: Detection: 69%

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.9:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.9:64297 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 204.79.197.203 443

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.9:64281 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=0D619E9D-00BF-4492-8B6E-0F7EE704ACB1&user=m-1bc49ddbecab44279c9cec83d08a0544 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67caf6a28fbd41f98b6ce7294c3fa0bf.RefC=2025-03-07T13:37:38Z; MUIDB=3C8465A2A1AF64E315E3700AA0AE654D; _EDGE_V=1; MUID=3C8465A2A1AF64E315E3700AA0AE654D
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=DB0D867D-626E-41E6-A727-8368BB5EE579&user=m-df6c07cae25243818377d7e5b0263a10 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67caf6a28fbd41f98b6ce7294c3fa0bf.RefC=2025-03-07T13:37:38Z; MUIDB=3C8465A2A1AF64E315E3700AA0AE654D; _EDGE_V=1; MUID=3C8465A2A1AF64E315E3700AA0AE654D

Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=0D619E9D-00BF-4492-8B6E-0F7EE704ACB1&user=m-1bc49ddbecab44279c9cec83d08a0544 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67caf6a28fbd41f98b6ce7294c3fa0bf.RefC=2025-03-07T13:37:38Z; MUIDB=3C8465A2A1AF64E315E3700AA0AE654D; _EDGE_V=1; MUID=3C8465A2A1AF64E315E3700AA0AE654D
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=DB0D867D-626E-41E6-A727-8368BB5EE579&user=m-df6c07cae25243818377d7e5b0263a10 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67caf6a28fbd41f98b6ce7294c3fa0bf.RefC=2025-03-07T13:37:38Z; MUIDB=3C8465A2A1AF64E315E3700AA0AE654D; _EDGE_V=1; MUID=3C8465A2A1AF64E315E3700AA0AE654D

Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: explorer.exe, 00000007.00000002.1220482577.00000000088CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000007.00000002.1220482577.00000000088CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.981741320.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.
Source: explorer.exe, 00000007.00000002.1220482577.00000000088CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe, 00000000.00000000.909858927.0000000000CEA000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: explorer.exe, 00000007.00000002.1243748283.000000000D21E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000002.1243748283.000000000D261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.1220482577.0000000008772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/$w
Source: explorer.exe, 00000007.00000002.1220482577.0000000008772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/Xw
Source: explorer.exe, 00000007.00000002.1212129172.0000000007807000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1219993313.00000000085E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.1220482577.0000000008772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?SAb
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.000000000787C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.1220482577.0000000008772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comY
Source: explorer.exe, 00000007.00000002.1177774300.0000000004878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weath
Source: explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000007.00000002.1219993313.00000000085E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000007.00000002.1177774300.0000000004878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gJOWA.img
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.1230565795.0000000008A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1212129172.0000000007730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64297
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443

Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.9:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.9:64297 version: TLS 1.2

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal45.evad.winEXE@156/5@6/1

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.db

Jump to behavior

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Virustotal: Detection: 76%
Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	ReversingLabs: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe "C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe"
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiribbon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static file information: File size 9216000 > 1048576

Source: #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x84a000

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation

Source: explorer.exe, 00000007.00000003.980504360.00000000078F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 00000007.00000003.980353436.00000000086DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.1220482577.0000000008896000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000003.00000002.964788720.0000000000E03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000bf
Source: explorer.exe, 00000007.00000002.1139582935.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000AD
Source: explorer.exe, 00000007.00000002.1139582935.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.1212129172.000000000787C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTpVMWare
Source: explorer.exe, 00000007.00000002.1220482577.00000000088FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.963806713.0000000007A56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\EK
Source: explorer.exe, 00000007.00000002.1139582935.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000yEf
Source: explorer.exe, 00000003.00000002.964788720.0000000000E03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.963806713.0000000007A56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 204.79.197.203 443

Jump to behavior

Source: explorer.exe, 00000003.00000002.992732123.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.961653911.00000000078F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.986699169.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.986699169.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.963806713.00000000079A3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.956203276.00000000079A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.964788720.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 00000003.00000003.956203276.00000000079A3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.957144254.00000000079B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
#U6d59#U6c5f#U6eab#U5dde#U75c5#U6bd2.exe