Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q3N5HdmTIp.exe

Overview

General Information

Sample name:Q3N5HdmTIp.exe
renamed because original name is a hash value
Original sample name:2e68a8634c9fbb9c006569d3b69afa53.exe
Analysis ID:1640386
MD5:2e68a8634c9fbb9c006569d3b69afa53
SHA1:4c2ea24c446851182262a930e8d4e5015d3036c0
SHA256:273a5d08743875b2d3c93ad8d835aa6e9367b8e2034314ab9615b2a09595f633
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Tor Client/Browser Execution
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • Q3N5HdmTIp.exe (PID: 8016 cmdline: "C:\Users\user\Desktop\Q3N5HdmTIp.exe" MD5: 2E68A8634C9FBB9C006569D3B69AFA53)
    • taskkill.exe (PID: 6584 cmdline: taskkill.exe /F /FI "SERVICES eq ConsentUI_1093b712" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7360 cmdline: sc.exe stop ConsentUI_1093b712 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7524 cmdline: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7692 cmdline: sc.exe failure ConsentUI_1093b712 reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7712 cmdline: sc.exe start ConsentUI_1093b712 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 7836 cmdline: icacls.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 1944 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\q2G6SUHkZHBj.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 8056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • TbQwNs1NS7.exe (PID: 7788 cmdline: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe MD5: F96CEB4A2B1C1B0C0278CF7546B31661)
    • tor.exe (PID: 3016 cmdline: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc MD5: 35FE245CD1A7FD3D7BA014F062C625FF)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7868 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6556 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7312 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7188 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7380 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 1696 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, CommandLine: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, NewProcessName: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, OriginalFileName: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, ProcessId: 7788, ProcessName: TbQwNs1NS7.exe
Sigma detected: Suspicious New Service Creation
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, CommandLine: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Q3N5HdmTIp.exe", ParentImage: C:\Users\user\Desktop\Q3N5HdmTIp.exe, ParentProcessId: 8016, ParentProcessName: Q3N5HdmTIp.exe, ProcessCommandLine: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, ProcessId: 7524, ProcessName: sc.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 185.220.101.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe, Initiated: true, ProcessId: 3016, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
Sigma detected: Tor Client/Browser Execution
Source: Process startedAuthor: frack113: Data: Command: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc, CommandLine: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc, CommandLine|base64offset|contains: , Image: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe, NewProcessName: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe, OriginalFileName: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe, ParentCommandLine: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, ParentImage: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe, ParentProcessId: 7788, ParentProcessName: TbQwNs1NS7.exe, ProcessCommandLine: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc, ProcessId: 3016, ProcessName: tor.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, CommandLine: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Q3N5HdmTIp.exe", ParentImage: C:\Users\user\Desktop\Q3N5HdmTIp.exe, ParentProcessId: 8016, ParentProcessName: Q3N5HdmTIp.exe, ProcessCommandLine: sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore, ProcessId: 7524, ProcessName: sc.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8056, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://reseed.i2pgit.org/Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/Avira URL Cloud: Label: malware
Source: https://reseed.diva.exchange/Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\i2pd.exeReversingLabs: Detection: 15%
Source: C:\Windows\Temp\x249eCnhReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: Q3N5HdmTIp.exeVirustotal: Detection: 45%Perma Link
Source: Q3N5HdmTIp.exeReversingLabs: Detection: 36%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: tor.exe, 00000011.00000002.3076352599.0000018119D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_87cbff32-1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeFile created: C:\Users\user\AppData\Local\Temp\installer.logJump to behavior
Source: Q3N5HdmTIp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E376A FindFirstFileA,FindNextFileA,_mbscpy,FindClose,12_2_00007FF7774E376A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB086DA FindFirstFileA,FindNextFileA,strcpy,FindClose,12_2_00007FFCABB086DA

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 77.83.199.161 ports 41674,41676,1,4,6,7
Found Tor onion address
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: HiddenServiceDirHiddenServiceDirGroupReadable0HiddenServicePortHiddenServiceVersion-1HiddenServiceAllowUnknownPortsHiddenServiceMaxStreamsHiddenServiceMaxStreamsCloseCircuitHiddenServiceNumIntroductionPoints3HiddenServiceExportCircuitIDHiddenServiceEnableIntroDoSDefenseHiddenServiceEnableIntroDoSRatePerSec25HiddenServiceEnableIntroDoSBurstPerSec200HiddenServiceOnionBalanceInstanceHiddenServicePoWDefensesEnabledHiddenServicePoWQueueRate250HiddenServicePoWQueueBurst2500config_generic_servicehs_optsservicehs_opts->HiddenServiceDir%s=%s. Configuring...Onion services version 2 are obsolete. Please see https://blog.torproject.org/v2-deprecation-timeline for more details and for instructions on how to transition to version 3. %s!err_msgHiddenServicePort=%s for %scheck_value_oob%s must be %d, not %d.%s must be between %d and %d, not %d.config_learn_service_versionconfig_has_invalid_optionsHiddenServiceAuthorizeClient
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HiddenServiceDirHiddenServiceDirGroupReadable0HiddenServicePortHiddenServiceVersion-1HiddenServiceAllowUnknownPortsHiddenServiceMaxStreamsHiddenServiceMaxStreamsCloseCircuitHiddenServiceNumIntroductionPoints3HiddenServiceExportCircuitIDHiddenServiceEnableIntroDoSDefenseHiddenServiceEnableIntroDoSRatePerSec25HiddenServiceEnableIntroDoSBurstPerSec200HiddenServiceOnionBalanceInstanceHiddenServicePoWDefensesEnabledHiddenServicePoWQueueRate250HiddenServicePoWQueueBurst2500config_generic_servicehs_optsservicehs_opts->HiddenServiceDir%s=%s. Configuring...Onion services version 2 are obsolete. Please see https://blog.torproject.org/v2-deprecation-timeline for more details and for instructions on how to transition to version 3. %s!err_msgHiddenServicePort=%s for %scheck_value_oob%s must be %d, not %d.%s must be between %d and %d, not %d.config_learn_service_versionconfig_has_invalid_optionsHiddenServiceAuthorizeClient
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 130.225.244.90:9001
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 148.251.198.84:9001
Source: global trafficTCP traffic: 192.168.2.4:59149 -> 77.83.199.161:41674
Source: global trafficTCP traffic: 192.168.2.4:59146 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewIP Address: 185.220.101.205 185.220.101.205
Source: Joe Sandbox ViewASN Name: ASMKNL ASMKNL
Source: unknownDNS query: name: ip-api.com
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 185.220.101.205
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 194.147.140.106
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: unknownTCP traffic detected without corresponding DNS query: 130.225.244.90
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAE1C90 recv,12_2_00007FFCABAE1C90
Source: global trafficHTTP traffic detected: GET /line?fields=query HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: curl/8.4.0Host: ip-api.com
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3mzmrus2oron5fxptw7hw2puho3bnqmw2hqy7nw64dsrrjwdilva.b32.i2p/cgi-bin/query?hostname=
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://7tbay5p4kzeekxvyvbf6v7eauazemsnnl2aoyqhg5jzpr5eke7tq.b32.i2p/cgi-bin/jump.cgi?a=
Source: svchost.exe, 00000001.00000002.2839166022.00000231D4CA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: TbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/ar
Source: TbQwNs1NS7.exe, 0000000C.00000003.2247525188.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077707571.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247770903.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247383961.000002A17A417000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=queryfirs
Source: TbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/n
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/line?fields=queryw
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nytzrhrjjfsutowojvxi7hphesskpqqr65wpistz6wa7cpajhp7a.b32.i2p/cgi-bin/jump.cgi?q=
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://reg.i2p/hosts.txt
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/add
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/reg.i2phttp://3mzmrus2oron5
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://banana.incognet.io/
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relay
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relayset
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.torproject.org/v2-deprecation-timeline
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridges.torproject.org/status?id=%s
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridges.torproject.org/status?id=%suninitialized
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.torproject.org/tpo/core/tor/14917.
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.torproject.org/tpo/core/tor/21155.
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.torproject.org/tpo/core/tor/8742.
Source: svchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freehaven.net/anonbib/#hs-attack06
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2p.ghativega.in/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2p.novg.net/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000001.00000003.1205052021.00000231D49F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.diva.exchange/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.i2pgit.org/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.memcpy.io/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.stormycloud.org/
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/
Source: tor.exe, 00000011.00000003.1320406588.000001811A9F0000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1336008658.000001811A9D7000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1323055516.000001811B064000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1337310374.000001811A9EE000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1315281827.000001811ABBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sabotage.net
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.torproject.org/faq/staying-anonymous/
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.torproject.org/faq/staying-anonymous/alphabetaThis
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.en.html)
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.torproject.org/
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.torproject.org/documentation.html
Source: TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www2.mk16.de/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 59152 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59152
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile deleted: C:\Windows\Temp\SIZ5ux0kJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E63EA12_2_00007FF7774E63EA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E13DA12_2_00007FF7774E13DA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774EC30012_2_00007FF7774EC300
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAE644F12_2_00007FFCABAE644F
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAE802A12_2_00007FFCABAE802A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAEC9B012_2_00007FFCABAEC9B0
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAE996A12_2_00007FFCABAE996A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB0BD1A12_2_00007FFCABB0BD1A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB05C8412_2_00007FFCABB05C84
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB0EDA012_2_00007FFCABB0EDA0
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB073CA12_2_00007FFCABB073CA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB02ECA12_2_00007FFCABB02ECA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC15E52012_2_00007FFCAC15E520
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC15D9FA12_2_00007FFCAC15D9FA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC156A9112_2_00007FFCAC156A91
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC1582CA12_2_00007FFCAC1582CA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC1590DA12_2_00007FFCAC1590DA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC15C92012_2_00007FFCAC15C920
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC16199012_2_00007FFCAC161990
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC15CB2212_2_00007FFCAC15CB22
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC15C79D12_2_00007FFCAC15C79D
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC51388812_2_00007FFCAC513888
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC51D1E212_2_00007FFCAC51D1E2
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC5149C112_2_00007FFCAC5149C1
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC515E3A12_2_00007FFCAC515E3A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC512FAF12_2_00007FFCAC512FAF
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC51C4DA12_2_00007FFCAC51C4DA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC52007012_2_00007FFCAC520070
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC51500112_2_00007FFCAC515001
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBA420A12_2_00007FFCAFBA420A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBA153F12_2_00007FFCAFBA153F
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBA8C4A12_2_00007FFCAFBA8C4A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBAEA2012_2_00007FFCAFBAEA20
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBABB7112_2_00007FFCAFBABB71
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exe 64841D4D05C5E3438FE56671FEFB886F47E2C8C68F515392220BC0F7831C3779
Source: C:\Windows\System32\icacls.exeProcess token adjusted: SecurityJump to behavior
Source: x249eCnh.12.drStatic PE information: Number of sections : 12 > 10
Source: jvCykiN8.12.drStatic PE information: Number of sections : 11 > 10
Source: VnjNMdWB.12.drStatic PE information: Number of sections : 11 > 10
Source: unol2WsrLx.dll.12.drStatic PE information: Number of sections : 11 > 10
Source: 09cNf8RU.12.drStatic PE information: Number of sections : 11 > 10
Source: rv83Y2s6.12.drStatic PE information: Number of sections : 11 > 10
Source: i2pd.exe.12.drStatic PE information: Number of sections : 12 > 10
Source: 3vxRh6uI.12.drStatic PE information: Number of sections : 11 > 10
Source: unfwt7ILja.dll.12.drStatic PE information: Number of sections : 11 > 10
Source: unTLh7hyYP.dll.12.drStatic PE information: Number of sections : 11 > 10
Source: un4VX4OUvi.dll.12.drStatic PE information: Number of sections : 11 > 10
Source: unUHHarNb4.dll.12.drStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: mal100.troj.evad.winEXE@35/50@1/11
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAFBAB3C1 CreateToolhelp32Snapshot,Process32First,Process32Next,strcmp,CloseHandle,12_2_00007FFCAFBAB3C1
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E81AB strcmp,_read,strcmp,StartServiceCtrlDispatcherA,12_2_00007FF7774E81AB
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E81AB strcmp,_read,strcmp,StartServiceCtrlDispatcherA,12_2_00007FF7774E81AB
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeFile created: C:\Users\user\AppData\Local\Temp\install.lockJump to behavior
Source: Q3N5HdmTIp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile read: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\config.iniJump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Q3N5HdmTIp.exeVirustotal: Detection: 45%
Source: Q3N5HdmTIp.exeReversingLabs: Detection: 36%
Source: unknownProcess created: C:\Users\user\Desktop\Q3N5HdmTIp.exe "C:\Users\user\Desktop\Q3N5HdmTIp.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq ConsentUI_1093b712"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop ConsentUI_1093b712
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe failure ConsentUI_1093b712 reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe start ConsentUI_1093b712
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\q2G6SUHkZHBj.acl
Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeProcess created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq ConsentUI_1093b712"Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop ConsentUI_1093b712Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe create ConsentUI_1093b712 binpath= C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe type= own start= auto error= ignoreJump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe failure ConsentUI_1093b712 reset= 1 actions= restart/10000Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe start ConsentUI_1093b712Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\ /setowner *S-1-5-18Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\q2G6SUHkZHBj.aclJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeProcess created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe -f C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rcJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile written: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\config.iniJump to behavior
Source: Q3N5HdmTIp.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Q3N5HdmTIp.exeStatic file information: File size 17796608 > 1048576
Source: Q3N5HdmTIp.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x10e6400
Source: Q3N5HdmTIp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E13DA LoadLibraryA,LoadLibraryA,GetProcAddress,12_2_00007FF7774E13DA
Source: Q3N5HdmTIp.exeStatic PE information: section name: .xdata
Source: TbQwNs1NS7.exe.0.drStatic PE information: section name: UPX2
Source: i2pd.exe.12.drStatic PE information: section name: .rodata
Source: i2pd.exe.12.drStatic PE information: section name: .xdata
Source: tor.exe.12.drStatic PE information: section name: .buildid
Source: lyrebird.exe.12.drStatic PE information: section name: .xdata
Source: lyrebird.exe.12.drStatic PE information: section name: .symtab
Source: unUHHarNb4.dll.12.drStatic PE information: section name: .xdata
Source: unfwt7ILja.dll.12.drStatic PE information: section name: .xdata
Source: unol2WsrLx.dll.12.drStatic PE information: section name: .xdata
Source: unTLh7hyYP.dll.12.drStatic PE information: section name: .xdata
Source: un4VX4OUvi.dll.12.drStatic PE information: section name: .xdata
Source: x249eCnh.12.drStatic PE information: section name: .rodata
Source: x249eCnh.12.drStatic PE information: section name: .xdata
Source: AxyiIQHO.12.drStatic PE information: section name: .xdata
Source: AxyiIQHO.12.drStatic PE information: section name: .symtab
Source: jvCykiN8.12.drStatic PE information: section name: .xdata
Source: 09cNf8RU.12.drStatic PE information: section name: .xdata
Source: VnjNMdWB.12.drStatic PE information: section name: .xdata
Source: 3vxRh6uI.12.drStatic PE information: section name: .xdata
Source: wGUVXUjr.12.drStatic PE information: section name: .buildid
Source: rv83Y2s6.12.drStatic PE information: section name: .xdata
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774F0515 pushfq ; iretd 12_2_00007FF7774F0516
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774EFE53 pushfq ; iretd 12_2_00007FF7774EFE56
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774F0209 pushfq ; retf 12_2_00007FF7774F020A
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\09cNf8RUJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\wGUVXUjrJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\jvCykiN8Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\AxyiIQHOJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\VnjNMdWBJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unfwt7ILja.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\rv83Y2s6Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unol2WsrLx.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\un4VX4OUvi.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\3vxRh6uIJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unTLh7hyYP.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\i2pd.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unUHHarNb4.dllJump to dropped file
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeFile created: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\x249eCnhJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\09cNf8RUJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\wGUVXUjrJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\jvCykiN8Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\AxyiIQHOJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\VnjNMdWBJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\rv83Y2s6Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\3vxRh6uIJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\x249eCnhJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\x249eCnhJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\AxyiIQHOJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\jvCykiN8Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\09cNf8RUJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\VnjNMdWBJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\3vxRh6uIJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\wGUVXUjrJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeFile created: C:\Windows\Temp\rv83Y2s6Jump to dropped file
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeFile created: C:\Users\user\AppData\Local\Temp\installer.logJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E81AB strcmp,_read,strcmp,StartServiceCtrlDispatcherA,12_2_00007FF7774E81AB
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop ConsentUI_1093b712

Hooking and other Techniques for Hiding and Protection

barindex
Contains functionality to hide user accounts
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312612088.000002AC9C426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: maindwlmgrdwlmgr.logexeversionon_tickon_download_filestartstopcmd.exe/c/minASSERT(%d)mem_allocmem_reallocdebug_initGLE(%d,%lu)NT_STATUS(%d,%lu)ERRNO(%d,%d)debug_cleanupDEBUGSOFTWARE\Microsoft\CryptographyMachineGuidsys_mem_infosys_screen_infosys_initsys_win_dir=%ssys_mach_guid=%svol_sn=%08lxsys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%dsys_cleanupebus_dispatchsize=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lld,err=%08xebus_publishsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldebus_subscribeebus_unsubscribeebus_initebus_cleanupkernel32.dllfs_wow_redir_disablefs_wow_redir_revertfs_attr_getfs_attr_setfs_dir_listfs_dir_deletefs_dir_copyfs_dir_createfs_file_writefs_file_readfs_file_deletefs_file_copyfs_file_sizefs_file_statfs_file_lockfs_file_unlockfs_path_existsfs_path_tempfs_path_expandfs_module_pathfs_module_dirfs_module_filehttp_getini_loadini_get_secini_get_varini_get_strini_get_uint16ini_get_int16ini_get_uint32ini_get_int32ini_get_uint64ini_get_int64ini_get_bytesmodule_get_version0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDateMS=%08lx,dwFileDateLS=%08lxmodule_get_codemodule_loadmodule_get_procmodule_current%TEMP%%PUBLIC%ip4_from_strWSAGLE(%d,%d)tcp_set_timeosock_set_blockingsock_shutdownsock_closetcp_set_nodelaytcp_set_keepalivetcp_listentcp_connecttcp_accepttcp_recvtcp_sendnet_infonet_initnet_cleanuppackage_unpackpackage_packprocess_get_user_sidprocess_killprocess_createprocess_waitprocess_freeprocess_closeregistry_enum_keyregistry_delete_keyregistry_create_keyregistry_get_valueregistry_del_valueregistry_set_valueSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListgroups_syncusers_syncsam_group_findsam_group_addsam_group_delsam_member_addsam_member_delsam_member_listsam_user_findsam_user_test_special_accountsam_user_set_special_accountsam_user_set_expires_onsam_user_addsam_user_delsam_initsam_cleanupservice_query_statusservice_wait_statusscm_config_startscm_startscm_stopscm_findscm_syncscm_initscm_cleanupABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/KoQlw0ScNHIkrgdB5Xoy9UC7D4WZnwo2VpMt35ERIPum16S84U5WepXJCTrJ43DCiLxSSqcIrAjM9HlbdY1w8FdruTALqHqn2QkPFgabYFKc94Q0AXExEGOBzEUXWG2x1tVbvYY9DIKsNNVefJixMagpyzTJB03ffmwWgjlnUseH8lRLvyOmhQi3f7GAVvODZcbZpR66skLsG0t6vy7dPj5qu2RNa18notTuhmKkMOCaZFe7zhhPzBji0123456789abcdefbuf_to_hexhex_to_bufcrc32str_matchGetLastErrorInitializeCriticalSectionAndSpinCountCreateThreadEnterCriticalSectionLeaveCriticalSectionDeleteCriticalSectionGetProcessHeapHeapAllocHeapReAllocHeapFreeFreeLibraryLocalAllocLocalFreeGetLengthSidEqualSidCreateWellKnownSidConvertSidToStringSidAConvertStringSidToSidAAdvapi32.dllsid_get_well_known_onesid_to_strstr_to_sidWai
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: STREAMversiontor.rctor.exetor_inittor_cleanuptor_try_numtor_timeotor_addrtor_portstartstopcmd.exe/c/minASSERT(%d)mem_allocmem_reallocdebug_initGLE(%d,%lu)NT_STATUS(%d,%lu)ERRNO(%d,%d)debug_cleanupDEBUGSOFTWARE\Microsoft\CryptographyMachineGuidsys_mem_infosys_screen_infosys_initsys_win_dir=%ssys_mach_guid=%svol_sn=%08lxsys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%dsys_cleanupebus_dispatchsize=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lld,err=%08xebus_publishsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldebus_subscribeebus_unsubscribeebus_initebus_cleanupkernel32.dllfs_wow_redir_disablefs_wow_redir_revertfs_attr_getfs_attr_setfs_dir_listfs_dir_deletefs_dir_copyfs_dir_createfs_file_writefs_file_readfs_file_deletefs_file_copyfs_file_sizefs_file_statfs_file_lockfs_file_unlockfs_path_existsfs_path_tempfs_path_expandfs_module_pathfs_module_dirfs_module_filehttp_getini_loadini_get_secini_get_varini_get_strini_get_uint16ini_get_int16ini_get_uint32ini_get_int32ini_get_uint64ini_get_int64ini_get_bytesmodule_get_version0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDateMS=%08lx,dwFileDateLS=%08lxmodule_get_codemodule_loadmodule_get_procmodule_current%TEMP%%PUBLIC%ip4_from_strWSAGLE(%d,%d)tcp_set_timeosock_set_blockingsock_shutdownsock_closetcp_set_nodelaytcp_set_keepalivetcp_listentcp_connecttcp_accepttcp_recvtcp_sendnet_infonet_initnet_cleanuppackage_unpackpackage_packprocess_get_user_sidprocess_killprocess_createprocess_waitprocess_freeprocess_closeregistry_enum_keyregistry_delete_keyregistry_create_keyregistry_get_valueregistry_del_valueregistry_set_valueSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListgroups_syncusers_syncsam_group_findsam_group_addsam_group_delsam_member_addsam_member_delsam_member_listsam_user_findsam_user_test_special_accountsam_user_set_special_accountsam_user_set_expires_onsam_user_addsam_user_delsam_initsam_cleanupservice_query_statusservice_wait_statusscm_config_startscm_startscm_stopscm_findscm_syncscm_initscm_cleanupABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/KoQlw0ScNHIkrgdB5Xoy9UC7D4WZnwo2VpMt35ERIPum16S84U5WepXJCTrJ43DCiLxSSqcIrAjM9HlbdY1w8FdruTALqHqn2QkPFgabYFKc94Q0AXExEGOBzEUXWG2x1tVbvYY9DIKsNNVefJixMagpyzTJB03ffmwWgjlnUseH8lRLvyOmhQi3f7GAVvODZcbZpR66skLsG0t6vy7dPj5qu2RNa18notTuhmKkMOCaZFe7zhhPzBji0123456789abcdefbuf_to_hexhex_to_bufcrc32str_matchGetLastErrorInitializeCriticalSectionAndSpinCountCreateThreadEnterCriticalSectionLeaveCriticalSectionDeleteCriticalSectionGetProcessHeapHeapAllocHeapReAllocHeapFreeFreeLibraryLocalAllocLocalFreeGetLengthSidEqualSidCreateWellKnownSidConvertSidToStringSidAConvertStringSidToSidAAdvapi32.dllsid_get_well_know
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: evtsrvmainevtsrv.logroutine_acceptserver_initserver_cleanupversionstartstopcmd.exe/c/minASSERT(%d)mem_allocmem_reallocdebug_initGLE(%d,%lu)NT_STATUS(%d,%lu)ERRNO(%d,%d)debug_cleanupDEBUGSOFTWARE\Microsoft\CryptographyMachineGuidsys_mem_infosys_screen_infosys_initsys_win_dir=%ssys_mach_guid=%svol_sn=%08lxsys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%dsys_cleanupebus_dispatchsize=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lld,err=%08xebus_publishsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldsock=0x%llx,size=%u,code=%.4s,sender=%.8s,receiver=%.8s,td=%lldebus_subscribeebus_unsubscribeebus_initebus_cleanupkernel32.dllfs_wow_redir_disablefs_wow_redir_revertfs_attr_getfs_attr_setfs_dir_listfs_dir_deletefs_dir_copyfs_dir_createfs_file_writefs_file_readfs_file_deletefs_file_copyfs_file_sizefs_file_statfs_file_lockfs_file_unlockfs_path_existsfs_path_tempfs_path_expandfs_module_pathfs_module_dirfs_module_filehttp_getini_loadini_get_secini_get_varini_get_strini_get_uint16ini_get_int16ini_get_uint32ini_get_int32ini_get_uint64ini_get_int64ini_get_bytesmodule_get_version0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDateMS=%08lx,dwFileDateLS=%08lxmodule_get_codemodule_loadmodule_get_procmodule_current%TEMP%%PUBLIC%ip4_from_strWSAGLE(%d,%d)tcp_set_timeosock_set_blockingsock_shutdownsock_closetcp_set_nodelaytcp_set_keepalivetcp_listentcp_connecttcp_accepttcp_recvtcp_sendnet_infonet_initnet_cleanuppackage_unpackpackage_packprocess_get_user_sidprocess_killprocess_createprocess_waitprocess_freeprocess_closeregistry_enum_keyregistry_delete_keyregistry_create_keyregistry_get_valueregistry_del_valueregistry_set_valueSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListgroups_syncusers_syncsam_group_findsam_group_addsam_group_delsam_member_addsam_member_delsam_member_listsam_user_findsam_user_test_special_accountsam_user_set_special_accountsam_user_set_expires_onsam_user_addsam_user_delsam_initsam_cleanupservice_query_statusservice_wait_statusscm_config_startscm_startscm_stopscm_findscm_syncscm_initscm_cleanupABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/KoQlw0ScNHIkrgdB5Xoy9UC7D4WZnwo2VpMt35ERIPum16S84U5WepXJCTrJ43DCiLxSSqcIrAjM9HlbdY1w8FdruTALqHqn2QkPFgabYFKc94Q0AXExEGOBzEUXWG2x1tVbvYY9DIKsNNVefJixMagpyzTJB03ffmwWgjlnUseH8lRLvyOmhQi3f7GAVvODZcbZpR66skLsG0t6vy7dPj5qu2RNa18notTuhmKkMOCaZFe7zhhPzBji0123456789abcdefbuf_to_hexhex_to_bufcrc32str_matchGetLastErrorInitializeCriticalSectionAndSpinCountCreateThreadEnterCriticalSectionLeaveCriticalSectionDeleteCriticalSectionGetProcessHeapHeapAllocHeapReAllocHeapFreeFreeLibraryLocalAllocLocalFreeGetLengthSidEqualSidCreateWellKnownSidConvertSidToStringSidAConvertStringSidToSidAAdvapi32.dllsid_get_well_known_onesid_to_str
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\ /setowner *S-1-5-18
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: GetBestInterface,GetAdaptersInfo,GetAdaptersInfo,12_2_00007FFCABB02B6C
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\09cNf8RUJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\jvCykiN8Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\AxyiIQHOJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\VnjNMdWBJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unfwt7ILja.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\rv83Y2s6Jump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unol2WsrLx.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\un4VX4OUvi.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\3vxRh6uIJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unTLh7hyYP.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\i2pd.exeJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unUHHarNb4.dllJump to dropped file
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeDropped PE file which has not been started: C:\Windows\Temp\x249eCnhJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5140Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 3792Thread sleep count: 44 > 30Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 7824Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5672Thread sleep count: 54 > 30Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5720Thread sleep count: 136 > 30Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5720Thread sleep time: -34000s >= -30000sJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5476Thread sleep count: 61 > 30Jump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5476Thread sleep time: -30500s >= -30000sJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe TID: 5688Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeLast function: Thread delayed
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E376A FindFirstFileA,FindNextFileA,_mbscpy,FindClose,12_2_00007FF7774E376A
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABB086DA FindFirstFileA,FindNextFileA,strcpy,FindClose,12_2_00007FFCABB086DA
Source: TbQwNs1NS7.exe, 0000000C.00000003.2247442649.000002A17A42B000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247631542.000002A17A42B000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077707571.000002A17A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Access Control Assistance OperatorsAdministratorsBackup OperatorsCryptographic OperatorsDevice OwnersDistributed COM UsersEvent Log ReadersGuestsHyper-V AdministratorsIIS_IUSRSNetwork Configuration OperatorsPerformance Log UsersPerformance Monitor UsersPower UsersRemote Desktop UsersRemote Management UsersReplicatorSystem Managed Accounts GroupUsers
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxCz
Source: svchost.exe, 00000016.00000002.3076341865.000001CCA947F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: tor.exe, 00000011.00000002.3080706634.000001811C184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntor-onion-key HOsjz21ycZlZd+X3WuCEw0WcvMCIp7hlqye1uKcBaiE
Source: tor.exe, 00000011.00000003.1323055516.000001811B064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m TWjlVJbwk4DLmQyyJeJ28NJrnvsqS7/XeLiLRSqeMuc
Source: tor.exe, 00000011.00000003.1407965655.000001811ABB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MIGJAoGBAMPMMoyYhM1yNDvjVcyzJlEJxgdvVMCI/EzT2GghCdniehLeCviu9Jjq
Source: tor.exe, 00000011.00000003.1447406773.000001811B39B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |i+Uap2Da3HwxRWk3onA8-TWjiCbYwjJh2aqNQfWRN0/oAXyAOxfXfI7FxIbViO6E-TWjlVJbwk4DLmQyyJeJ28NJrnvsqS7/XeLiLRSqeMuc-TWovVsdXXCk4WbAmYDkivEU2dDzBQBFMcnnmzgzdksc-TW124BcdbOt3kmFM7iCK6hG8jw0JT0E3SVhyZxhpL1s-TW2iOvDw+nN90LGr1cWDJ3VZfSQoqI0CgZEs3DAkzlw-TXSVyZgZNIfPlrmbVMgsWA8vEj30Vnh2GWSYWj+dEII-TYe9iFF5C4R7EQOfewbUZHKP4vmmD3EgU1yWC2XEmY8-TadE8z+qVP1b88Y/b9+eNOuyLQyTF+tD8MGugsxixYw-TbT7R6UQ4bVv/SlF2L0+rV3hhvJjt314vahXrqQ5Za0-Tbfn8j2ruvZwy9Jpy8B/zSLIduzeBS/4Qclibe+oMpw-Tb+WN70xnoiZxprLJewiXG8bQT4SESnB86hLT9xCW4U-TcCyJLvLGZEAarYCatfncZp5XrL+K0ENDDxYSogNsNs-TcG6LaeyiklHNe0g2SzP6icYwOQ9/aKSuI2UcKyLGR4-TdINL1tPkAwjSSNKT4QToTbAdfj0oEbFdqDWYbZrUwI-TeFYE/q0mOUgpyu4ATQHtjMHa9AWJYBixa/P+/n6LmA-Tf/QLrBW1i/1pHMm2lAE18Y/lN4EU2iyvGk3tl1vXC4-TgNsG8c9mlNwPXpFnYcZBclR6v08PisSjQUj/BzCEWc-ThQfWjK2mK6LAlqMwJKWOXEIEifaZGuB9Qmcm6+fAd0-ThT1qj25B3ln2N4I4Vxcy042IuBPc1ZbQIyndwN9M9A-Th1dpt8xEufIYPt7MNcDM9iZbVPCUZ/CsuGLIw3nVgE-Th3UH2g2ZF6Rbgix6xv1vbPokcfo87wtMo28N6qG6EA-TiMqKfTxisg1Iz5VswvptUpIhVULrgbNxbmQDWCZs48-TimhHWhUrgj00TTIKdpIArrOSy0aSZ5ai0LVUP+Vk8s-Tjuy8CtFTpsXyTD8W16PwElpZEofGdZHwt3KNfvLtXY-Tjw5L9c1HNGolOjo1erJEEtqTBNN/CLi6lm0SgUV0Z8-Tj3Fv1bZRrYTOguyNM4nhnIINHVVE0aMN9jmi9oy8So-Tj5uUav9Y9GxZiD94sKPxnwJYtU7M6pr4/HMc4N+CMU-TkDYurBdXfWM9ZtDgmJbhCHHE27AhCItiilze5uidWg-TkSRLk3s85wn5vxCNSWQcTpW/lDkcKQ8kM65TcYNzRw-TkcuSSC3pi5O3oxbkkWHnn9GZJ198lsSXZoEVWZl+gI-Tkoos1Z7QGg3TRviVBQEO6fwJVWvYqd1V9mcWlhVgY4-TlAT/WEb2Nts6k5rK7m4/0FtSGNMig5eOZylQUNhSTY-TlXhVNr1hDAS7MQpgVmTZYlT25hJ6Nzh9l8WZX+C3RQ-TllMZoz7rrA5oO42UlzcQkKT02nqEpQT0G9GDZoUyyU-TmM681zWMbJKPuLQprIY358LWQ2m0GKzoG16QS7mhT8-TmbSdBIv0EFgDRa21b/FsRP/lZN8flNwMq1Xr01/f6U-TnFAQEvnxc/SOX5cDZtn1a93pAdqnKVpjlKGi+WKUzA-TnGdVSkAjthFy0HTSK3nvDlyfcnPlj+gqeARXAPiXBs-Tn228MfwfG45yA8DAiCUoCu1hOC7XWZifniMkZb9V9E-TpfII0oJHFamZJyBbBtwt/+baAeaRgITP7WEL/pm0vg-TqdiCCoHveBz9oB2PbA+EVUT9sw2WwP9/Fauzej1jWg-Tqs9eMV69LJgvPw+beNlmrti9SZoPyrj+x1GBrxDpyE-Tq9ggPRzeNtBkPUvy1BxI50orUOf/fxTEzpGVFWZeJw-TrIF834we14osGlDykCFwChIa/YxYKoDd+Z9u4JMNZY-TrIIwY0hh7HuqeCcmztgn8OYz8CDtUY0ETk2fW5Y9lY-TrS4wfG/uill4Nm2Z+ZhQr6LP0zaMeAEUE0+LiMpLsU-TrUop72oPNRnA3rWcSZx0Un/YnRJY3I0ivhqAkYkZUo-TralYLGxtCFw/C1weehgZKfDJITyK3MnjLffdF5IZas-TruTb3PF+k1xTDBWeUvpvV4/S1CxrFC2VNfKjimeIM0-TsQvgOuplJepukCIt35sN+ET6Z47Ax3ke/VJ8FxQW+8-TsrCKOSUkl3ambjT8sMUWFWpFqMFEolyFu9cgvmcEkQ-TsuwAhZrzLUSJANCEG5d9Hi+ccNnFHpxAxNiKgDSK4Y-TsxZAT5PJPZIbLfEpjZZusducuRwC+x2MFRmEoBz658-Ts9HoKs/wNbfC8xPfR/cgerngqXpKyMDDafPElpYIZc-TtfrOMST3J1LkmT3CTPQe4TahS9TJDsPqtH9ZZeCF9E-Tt7Go9ESVb1C+tn8mUFYuuZiuBqTD1hgvCdXtPBERw0-TuK1/3Gzs8BkuGO03nMfmXPiEGwXeFz0liY0mmzyWEI-TvJA1T2PAzDtvw2xpamJ5N44K9B"
Source: svchost.exe, 00000001.00000002.2839131056.00000231D4C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2838663869.00000231CF42B000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247442649.000002A17A42B000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.1647202340.000002A17A433000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247631542.000002A17A42B000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077707571.000002A17A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: tor.exe, 00000011.00000003.1323055516.000001811B064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m FPpvVgrLcLFV4kuqHE+9xjdXHML60MYpHgfsSNwkOd4
Source: tor.exe, 00000011.00000003.1323055516.000001811B064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m B0FJEdrSDA99of3PcBfw5lhV3s0X7QemUgvBs6eNlbU
Source: Q3N5HdmTIp.exe, 00000000.00000002.1312612088.000002AC9C42E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>2
Source: tor.exe, 00000011.00000003.1447406773.000001811B39B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |i+Uap2Da3HwxRWk3onA8-TWjiCbYwjJh2aqNQfWRN0/oAXyAOxfXfI7FxIbViO6E-TWjlVJbwk4DLmQyyJeJ28NJrnvsqS7/XeLiLRSqeMuc-TWovVsdXXCk4WbAmYDkivEU2dDzBQBFMcnnmzgzdksc-TW124BcdbOt3kmFM7iCK6hG8jw0JT0E3SVhyZxhpL1s-TW2iOvDw+nN90LGr1cWDJ3VZfSQoqI0CgZEs3DAkzlw-TXSVyZgZNIfPlrmbVMgsWA8vEj30Vnh2GWSYWj+dEII-TYe9iFF5C4R7EQOfewbUZHKP4vmmD3EgU1yWC2XEmY8-TadE8z+qVP1b88Y/b9+eNOuyLQyTF+tD8MGugsxixYw-TbT7R6UQ4bVv/SlF2L0+rV3hhvJjt314vahXrqQ5Za0-Tbfn8j2ruvZwy9Jpy8B/zSLIduzeBS/4Qclibe+oMpw-Tb+WN70xnoiZxprLJewiXG8bQT4SESnB86hLT9xCW4U-TcCyJLvLGZEAarYCatfncZp5XrL+K0ENDDxYSogNsNs-TcG6LaeyiklHNe0g2SzP6icYwOQ9/aKSuI2UcKyLGR4-TdINL1tPkAwjSSNKT4QToTbAdfj0oEbFdqDWYbZrUwI-TeFYE/q0mOUgpyu4ATQHtjMHa9AWJYBixa/P+/n6LmA-Tf/QLrBW1i/1pHMm2lAE18Y/lN4EU2iyvGk3tl1vXC4-TgNsG8c9mlNwPXpFnYcZBclR6v08PisSjQUj/BzCEWc-ThQfWjK2mK6LAlqMwJKWOXEIEifaZGuB9Qmcm6+fAd0-ThT1qj25B3ln2N4I4Vxcy042IuBPc1ZbQIyndwN9M9A-Th1dpt8xEufIYPt7MNcDM9iZbVPCUZ/CsuGLIw3nVgE-Th3UH2g2ZF6Rbgix6xv1vbPokcfo87wtMo28N6qG6EA-TiMqKfTxisg1Iz5VswvptUpIhVULrgbNxbmQDWCZs48-TimhHWhUrgj00TTIKdpIArrOSy0aSZ5ai0LVUP+Vk8s-Tjuy8CtFTpsXyTD8W16PwElpZEofGdZHwt3KNfvLtXY-Tjw5L9c1HNGolOjo1erJEEtqTBNN/CLi6lm0SgUV0Z8-Tj3Fv1bZRrYTOguyNM4nhnIINHVVE0aMN9jmi9oy8So-Tj5uUav9Y9GxZiD94sKPxnwJYtU7M6pr4/HMc4N+CMU-TkDYurBdXfWM9ZtDgmJbhCHHE27AhCItiilze5uidWg-TkSRLk3s85wn5vxCNSWQcTpW/lDkcKQ8kM65TcYNzRw-TkcuSSC3pi5O3oxbkkWHnn9GZJ198lsSXZoEVWZl+gI-Tkoos1Z7QGg3TRviVBQEO6fwJVWvYqd1V9mcWlhVgY4-TlAT/WEb2Nts6k5rK7m4/0FtSGNMig5eOZylQUNhSTY-TlXhVNr1hDAS7MQpgVmTZYlT25hJ6Nzh9l8WZX+C3RQ-TllMZoz7rrA5oO42UlzcQkKT02nqEpQT0G9GDZoUyyU-TmM681zWMbJKPuLQprIY358LWQ2m0GKzoG16QS7mhT8-TmbSdBIv0EFgDRa21b/FsRP/lZN8flNwMq1Xr01/f6U-TnFAQEvnxc/SOX5cDZtn1a93pAdqnKVpjlKGi+WKUzA-TnGdVSkAjthFy0HTSK3nvDlyfcnPlj+gqeARXAPiXBs-Tn228MfwfG45yA8DAiCUoCu1hOC7XWZifniMkZb9V9E-TpfII0oJHFamZJyBbBtwt/+baAeaRgITP7WEL/pm0vg-TqdiCCoHveBz9oB2PbA+EVUT9sw2WwP9/Fauzej1jWg-Tqs9eMV69LJgvPw+beNlmrti9SZoPyrj+x1GBrxDpyE-Tq9ggPRzeNtBkPUvy1BxI50orUOf/fxTEzpGVFWZeJw-TrIF834we14osGlDykCFwChIa/YxYKoDd+Z9u4JMNZY-TrIIwY0hh7HuqeCcmztgn8OYz8CDtUY0ETk2fW5Y9lY-TrS4wfG/uill4Nm2Z+ZhQr6LP0zaMeAEUE0+LiMpLsU-TrUop72oPNRnA3rWcSZx0Un/YnRJY3I0ivhqAkYkZUo-TralYLGxtCFw/C1weehgZKfDJITyK3MnjLffdF5IZas-TruTb3PF+k1xTDBWeUvpvV4/S1CxrFC2VNfKjimeIM0-TsQvgOuplJepukCIt35sN+ET6Z47Ax3ke/VJ8FxQW+8-TsrCKOSUkl3ambjT8sMUWFWpFqMFEolyFu9cgvmcEkQ-TsuwAhZrzLUSJANCEG5d9Hi+ccNnFHpxAxNiKgDSK4Y-TsxZAT5PJPZIbLfEpjZZusducuRwC+x2MFRmEoBz658-Ts9HoKs/wNbfC8xPfR/cgerngqXpKyMDDafPElpYIZc-TtfrOMST3J1LkmT3CTPQe4TahS9TJDsPqtH9ZZeCF9E-Tt7Go9ESVb1C+tn8mUFYuuZiuBqTD1hgvCdXtPBERw0-TuK1/3Gzs8BkuGO03nMfmXPiEGwXeFz0liY0mmzyWEI-TvJA1T2PAzDtvw2xpamJ5N44K9B
Source: tor.exe, 00000011.00000000.1257436120.00007FF7129D3000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: PrLfsL
Source: TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators"
Source: tor.exe, 00000011.00000002.3082186972.000001811CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: TbQwNs1NS7.exe, 0000000C.00000003.2247479408.000002A17A405000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247525188.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077707571.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247770903.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077654105.000002A17A406000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247383961.000002A17A417000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247652711.000002A17A406000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeAPI call chain: ExitProcess graph end nodegraph_12-41602
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E13DA LoadLibraryA,LoadLibraryA,GetProcAddress,12_2_00007FF7774E13DA
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E1360 GetProcessHeap,RtlAllocateHeap,12_2_00007FF7774E1360
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FF7774E1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,12_2_00007FF7774E1131
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq ConsentUI_1093b712"Jump to behavior
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeQueries volume information: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeQueries volume information: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeQueries volume information: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exeQueries volume information: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\state VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCAC513888 wcslen,wcsncpy,LookupAccountNameW,12_2_00007FFCAC513888
Source: C:\Users\user\Desktop\Q3N5HdmTIp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exeCode function: 12_2_00007FFCABAE1665 socket,bind,listen,12_2_00007FFCABAE1665

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		11
Disable or Modify Tools		OS Credential Dumping1
Account Discovery		Remote Services11
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		4
Windows Service		4
Windows Service		11
Obfuscated Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media12
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Service Execution		1
Services File Permissions Weakness		1
Process Injection		1
Software Packing		Security Account Manager34
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Services File Permissions Weakness		1
DLL Side-Loading		NTDS141
Security Software Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA Secrets3
Virtualization/Sandbox Evasion		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Masquerading		Cached Domain Credentials2
Process Discovery		VNCGUI Input Capture1
Proxy		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Virtualization/Sandbox Evasion		DCSync1
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Process Injection		Proc Filesystem2
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Hidden Users		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Services File Permissions Weakness		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640386 Sample: Q3N5HdmTIp.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 60 ip-api.com 2->60 76 Antivirus detection for URL or domain 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 8 TbQwNs1NS7.exe 32 2->8         started        13 Q3N5HdmTIp.exe 9 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 68 77.83.199.161 ASN-MOLMoscowRussiaRU Lithuania 8->68 70 ip-api.com 208.95.112.1 TUT-ASUS United States 8->70 74 2 other IPs or domains 8->74 50 C:\Windows\Temp\x249eCnh, PE32+ 8->50 dropped 52 C:\Windows\Temp\wGUVXUjr, PE32+ 8->52 dropped 54 C:\Windows\Temp\rv83Y2s6, PE32+ 8->54 dropped 58 14 other malicious files 8->58 dropped 84 Contains functionality to hide user accounts 8->84 86 Found Tor onion address 8->86 19 tor.exe 12 8->19         started        56 C:\Users\Public\...\TbQwNs1NS7.exe, PE32+ 13->56 dropped 22 taskkill.exe 1 13->22         started        24 icacls.exe 1 13->24         started        26 icacls.exe 1 13->26         started        30 4 other processes 13->30 88 Changes security center settings (notifications, updates, antivirus, firewall) 15->88 28 MpCmdRun.exe 1 15->28         started        72 127.0.0.1 unknown unknown 17->72 file6 signatures7 process8 dnsIp9 62 185.220.101.205, 443, 49735 ASMKNL Germany 19->62 64 194.147.140.106, 443, 49736 PTPEU unknown 19->64 66 4 other IPs or domains 19->66 32 conhost.exe 19->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 conhost.exe 30->48         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Q3N5HdmTIp.exe45%VirustotalBrowse
Q3N5HdmTIp.exe36%ReversingLabsWin64.Trojan.Giant

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe17%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\i2pd.exe16%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exe0%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe0%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\un4VX4OUvi.dll4%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unTLh7hyYP.dll4%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unUHHarNb4.dll4%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unfwt7ILja.dll4%ReversingLabs
C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unol2WsrLx.dll8%ReversingLabs
C:\Windows\Temp\09cNf8RU4%ReversingLabs
C:\Windows\Temp\3vxRh6uI8%ReversingLabs
C:\Windows\Temp\AxyiIQHO0%ReversingLabs
C:\Windows\Temp\VnjNMdWB4%ReversingLabs
C:\Windows\Temp\jvCykiN84%ReversingLabs
C:\Windows\Temp\rv83Y2s64%ReversingLabs
C:\Windows\Temp\wGUVXUjr0%ReversingLabs
C:\Windows\Temp\x249eCnh16%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://bugs.torproject.org/tpo/core/tor/14917.0%Avira URL Cloudsafe
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s0%Avira URL Cloudsafe
https://reseed.memcpy.io/0%Avira URL Cloudsafe
https://i2pseed.creativecowpat.net:8443/0%Avira URL Cloudsafe
https://reseed.i2pgit.org/100%Avira URL Cloudmalware
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/0%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz/0%Avira URL Cloudsafe
https://reseed2.i2p.net/100%Avira URL Cloudmalware
https://blog.torproject.org/lifecycle-of-a-new-relayset0%Avira URL Cloudsafe
https://reseed.onion.im/0%Avira URL Cloudsafe
https://support.torproject.org/faq/staying-anonymous/alphabetaThis0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/add0%Avira URL Cloudsafe
http://nytzrhrjjfsutowojvxi7hphesskpqqr65wpistz6wa7cpajhp7a.b32.i2p/cgi-bin/jump.cgi?q=0%Avira URL Cloudsafe
https://reseed-fr.i2pd.xyz/0%Avira URL Cloudsafe
https://banana.incognet.io/0%Avira URL Cloudsafe
https://i2p.novg.net/0%Avira URL Cloudsafe
https://i2p.ghativega.in/0%Avira URL Cloudsafe
https://bugs.torproject.org/tpo/core/tor/21155.0%Avira URL Cloudsafe
https://www2.mk16.de/0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/reg.i2phttp://3mzmrus2oron50%Avira URL Cloudsafe
http://reg.i2p/hosts.txt0%Avira URL Cloudsafe
https://support.torproject.org/faq/staying-anonymous/0%Avira URL Cloudsafe
https://blog.torproject.org/v2-deprecation-timeline0%Avira URL Cloudsafe
https://reseed.diva.exchange/100%Avira URL Cloudmalware
http://7tbay5p4kzeekxvyvbf6v7eauazemsnnl2aoyqhg5jzpr5eke7tq.b32.i2p/cgi-bin/jump.cgi?a=0%Avira URL Cloudsafe
https://sabotage.net0%Avira URL Cloudsafe
https://blog.torproject.org/lifecycle-of-a-new-relay0%Avira URL Cloudsafe
https://reseed.stormycloud.org/0%Avira URL Cloudsafe
https://bugs.torproject.org/tpo/core/tor/8742.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ip-api.com
208.95.112.1
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://html4/loose.dtdQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://gcc.gnu.org/bugs/):TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%sTbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://i2pseed.creativecowpat.net:8443/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://ip-api.com/nTbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://reseed.memcpy.io/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://ip-api.com/TbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000001.00000003.1205052021.00000231D4A43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://reseed.i2pgit.org/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://www.torproject.org/Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://.cssQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://bugs.torproject.org/tpo/core/tor/14917.Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000001.00000003.1205052021.00000231D49F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://reseed-pl.i2pd.xyz/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.torproject.org/documentation.htmlTbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://reseed.onion.im/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://bridges.torproject.org/status?id=%suninitializedQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://freehaven.net/anonbib/#hs-attack06Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://reseed2.i2p.net/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://blog.torproject.org/lifecycle-of-a-new-relaysetQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.com/arTbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://support.torproject.org/faq/staying-anonymous/alphabetaThisQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://banana.incognet.io/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://.jpgQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730F00000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17B307000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://nytzrhrjjfsutowojvxi7hphesskpqqr65wpistz6wa7cpajhp7a.b32.i2p/cgi-bin/jump.cgi?q=TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtTbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://reseed-fr.i2pd.xyz/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ip-api.com:80/line?fields=querywTbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://i2p.novg.net/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.com/line?fields=queryfirsTbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/addTbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.ver)svchost.exe, 00000001.00000002.2839166022.00000231D4CA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://i2p.ghativega.in/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://bugs.torproject.org/tpo/core/tor/21155.Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www2.mk16.de/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ip-api.com/line?fields=queryTbQwNs1NS7.exe, 0000000C.00000003.2247525188.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077707571.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247770903.000002A17A41C000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.1647081324.000002A17A41A000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000003.2247383961.000002A17A417000.00000004.00000020.00020000.00000000.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077506724.000002A17A3AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://reg.i2p/hosts.txtTbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/jump/reg.i2phttp://3mzmrus2oron5TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://bridges.torproject.org/status?id=%sQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.torproject.org/faq/staying-anonymous/Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.gnu.org/licenses/gpl-3.0.en.html)Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://blog.torproject.org/v2-deprecation-timelineTbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dynamic.tsvchost.exe, 00000013.00000003.1364460115.000001280F66E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000001.00000003.1205052021.00000231D4A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://reseed.diva.exchange/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://sabotage.nettor.exe, 00000011.00000003.1320406588.000001811A9F0000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1336008658.000001811A9D7000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1323055516.000001811B064000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1337310374.000001811A9EE000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000011.00000003.1315281827.000001811ABBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://7tbay5p4kzeekxvyvbf6v7eauazemsnnl2aoyqhg5jzpr5eke7tq.b32.i2p/cgi-bin/jump.cgi?a=TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://reseed.stormycloud.org/TbQwNs1NS7.exe, 0000000C.00000003.2690450607.000002A17C568000.00000004.00000020.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://blog.torproject.org/lifecycle-of-a-new-relayQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://bugs.torproject.org/tpo/core/tor/8742.Q3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.torproject.org/docs/faq.html#BestOSForRelayQ3N5HdmTIp.exe, 00000000.00000002.1312784338.00007FF730500000.00000004.00000001.01000000.00000003.sdmp, TbQwNs1NS7.exe, 0000000C.00000002.3077766030.000002A17A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.95.112.1
                                                        		ip-api.comUnited States
                                                        		53334TUT-ASUSfalse
                                                        185.220.101.205
                                                        		unknownGermany
                                                        		208294ASMKNLtrue
                                                        89.35.131.44
                                                        		unknownRomania
                                                        		39668INTERSAT-ASIonRatiunr33ROfalse
                                                        130.225.244.90
                                                        		unknownDenmark
                                                        		1835FSKNET-DKForskningsnettet-DanishnetworkforResearchandfalse
                                                        194.147.140.106
                                                        		unknownunknown
                                                        		47285PTPEUfalse
                                                        148.251.198.84
                                                        		unknownGermany
                                                        		24940HETZNER-ASDEfalse
                                                        77.83.199.161
                                                        		unknownLithuania
                                                        		12679ASN-MOLMoscowRussiaRUtrue
                                                        91.143.88.62
                                                        		unknownGermany
                                                        		35366ISPPRO-ASISPPRO-AScoversthenetworksofISPproDEfalse

                                                        Private

                                                        IP
                                                        127.0.0.7
                                                        127.0.0.2
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1640386
                                                        Start date and time:2025-03-17 09:38:06 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 10m 25s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Run name:Run with higher sleep bypass
                                                        Number of analysed new started processes analysed:28
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:Q3N5HdmTIp.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:2e68a8634c9fbb9c006569d3b69afa53.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@35/50@1/11
                                                        EGA Information:
                                                        • Successful, ratio: 33.3%
                                                        HCA Information:Failed
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212, 20.3.187.198, 52.165.164.15, 20.12.23.50, 204.79.197.222
                                                        • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                        • Execution Graph export aborted for target Q3N5HdmTIp.exe, PID 8016 because it is empty
                                                        • Execution Graph export aborted for target tor.exe, PID 3016 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        208.95.112.1XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                        • ip-api.com/json
                                                        WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        ExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        awjcsl.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        MEMESENSE.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        185.220.101.205PHHOjspjmp.exeGet hashmaliciousCMSBruteBrowse
                                                          Mcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
                                                            FV0mIIfKwQ.exeGet hashmaliciousAmadey, RisePro Stealer, SmokeLoader, StealcBrowse
                                                              IIBXMzS0zN.exeGet hashmaliciousGlupteba, SmokeLoader, Socks5Systemz, Stealc, XmrigBrowse
                                                                SLtb3T91Li.exeGet hashmaliciousUnknownBrowse
                                                                  M6xATHbwxY.exeGet hashmaliciousGlupteba, RedLine, SmokeLoaderBrowse
                                                                    file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                        g5oo6DQ4pd.exeGet hashmaliciousUnknownBrowse
                                                                          hrgJ85rPgh.exeGet hashmaliciousUnknownBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ip-api.comXWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                                            • 208.95.112.1
                                                                            WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                                            • 208.95.112.1
                                                                            Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            ExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
                                                                            • 208.95.112.1
                                                                            awjcsl.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            MEMESENSE.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            FSKNET-DKForskningsnettet-DanishnetworkforResearchandnabppc.elfGet hashmaliciousUnknownBrowse
                                                                            • 192.39.148.202
                                                                            cbr.arm.elfGet hashmaliciousMiraiBrowse
                                                                            • 130.225.89.216
                                                                            Owari.spc.elfGet hashmaliciousUnknownBrowse
                                                                            • 130.225.116.235
                                                                            res.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                            • 192.38.105.155
                                                                            res.spc.elfGet hashmaliciousUnknownBrowse
                                                                            • 130.225.51.240
                                                                            kre4per.arm.elfGet hashmaliciousUnknownBrowse
                                                                            • 130.225.116.248
                                                                            armv6l.elfGet hashmaliciousUnknownBrowse
                                                                            • 130.225.89.222
                                                                            Hilix.arm.elfGet hashmaliciousMiraiBrowse
                                                                            • 130.225.89.223
                                                                            Hgf.i686.elfGet hashmaliciousMiraiBrowse
                                                                            • 192.38.70.197
                                                                            botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                                            • 130.225.89.235
                                                                            INTERSAT-ASIonRatiunr33ROaZpYzAbOTN.exeGet hashmaliciousAmadeyBrowse
                                                                            • 89.35.131.209
                                                                            file.exeGet hashmaliciousAmadeyBrowse
                                                                            • 89.35.131.209
                                                                            DF2.exeGet hashmaliciousUnknownBrowse
                                                                            • 89.35.131.34
                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                                            • 89.35.131.209
                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                                            • 89.35.131.209
                                                                            SecuriteInfo.com.Trojan.Siggen29.56161.779.26301.exeGet hashmaliciousUnknownBrowse
                                                                            • 89.35.131.141
                                                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                            • 31.14.230.52
                                                                            BYfRVLUA1z.elfGet hashmaliciousUnknownBrowse
                                                                            • 31.14.230.65
                                                                            miori.arm-20220630-2250Get hashmaliciousUnknownBrowse
                                                                            • 89.46.130.2
                                                                            ASMKNLArmyPlusInstaller-v.0.10.23672.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.7
                                                                            bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.209
                                                                            bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.192
                                                                            AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.70
                                                                            ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.206
                                                                            o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.150
                                                                            Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.72
                                                                            Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.169
                                                                            Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.3
                                                                            Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.220.101.21
                                                                            TUT-ASUSXWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                                            • 208.95.112.1
                                                                            WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                                            • 208.95.112.1
                                                                            Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            ExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
                                                                            • 208.95.112.1
                                                                            awjcsl.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                            • 208.95.112.1
                                                                            Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            MEMESENSE.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exedld1.dd.exeGet hashmaliciousUnknownBrowse
                                                                              pp.dd.exeGet hashmaliciousUnknownBrowse
                                                                                dld1.dd.exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.363788168458258
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                  MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                  SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                  SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                  SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                  Malicious:false
                                                                                  Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):1.3107746166489864
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrl:KooCEYhgYEL0In
                                                                                  MD5:02EA364ACE43BF4FAFF9F8813AA8E932
                                                                                  SHA1:D22CD1E8B0254DE5B11CE75C347C9F6F7891325E
                                                                                  SHA-256:1E19C6E752329FFE3D3C9C669F88A8B1FDC905CAEDE1B2C480EB173322AFEE1D
                                                                                  SHA-512:DBC2629B70355CEC7DAB2A9698926D52527FC412122CF662C6243AC109EA17ED0F108D06C9CBF4F2F971BACE94A70C2EAFEA5A151E4711DCC06A386C7EA5CA76
                                                                                  Malicious:false
                                                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa0a87310, page size 16384, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.4221108099809755
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:PSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Pazag03A2UrzJDO
                                                                                  MD5:3CD1253C8D7EFA3C318212391A61B97B
                                                                                  SHA1:CC78A00CDFD2F3043886ADC5E23A805C98286281
                                                                                  SHA-256:53303DC631139426D1678506B1BC7C720D89C750072FF44C4BBDD5EBD0F4FCFE
                                                                                  SHA-512:848B6A55D91A7F78A20531F0236B96FCD19E1FB4058D01F33083FA6B74C78FAC2ACCCED474B989E22017FC279AB1CADAF2AA7536667FAC140975958F871375F7
                                                                                  Malicious:false
                                                                                  Preview:..s.... .......Y.......X\...;...{......................n.%......)...}m..'...}..h.#......)...}m.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................e.(..)...}m...................8..)...}m..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.07534549708236503
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:2eXUetYeUu09vYll7t0ZcVmY4l/qnMtfllAllOE/tlnl+/rTc:2eXNzUvIlpqcVvoinsNlApMP
                                                                                  MD5:A3F65343AB797AC2E5BCDB3DC31553B5
                                                                                  SHA1:43E579D3A3FEE2B5C21F27A8E3FF68E361E14704
                                                                                  SHA-256:472F921BF9FD409639D7D3558D63771948A1BFBDBB811F87A0A1F3F6CBC33D9C
                                                                                  SHA-512:0CABBC1A1159D1A2986C78D8326B393056AD2C511A257A14E15D3B19B273CC53E10ACA43F3DDEE314AC67A0ABDB957559344890A113C568E851CB1FB91075691
                                                                                  Malicious:false
                                                                                  Preview:T..Q.....................................;...{...'...}...)...}m..........)...}M..)...}m......)...}M...................8..)...}m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Q3N5HdmTIp.exe
                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):38912
                                                                                  Entropy (8bit):7.852096749338171
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:0roV2QehdRmOi4atwSmJvbKmWBAPLIILRyIPJF5X51uUmvyynvoZQH1415jyf:5kJxLNXW+PLI6RywFpDuUm6yngSf
                                                                                  MD5:F96CEB4A2B1C1B0C0278CF7546B31661
                                                                                  SHA1:1F7FCB5F92C0CEDF3A358B25C43CB96CB219E4FE
                                                                                  SHA-256:1CAC5A7F57294EA93B7E34B0C40A31FB81743C19FE43E029EE5BFCD6606396C7
                                                                                  SHA-512:BFAA1B02FB8EFD93FDAB8B7CAA94FD4A8133F0F4686C314D441B2E87A81F64D7D1D031A0B7CA0674757914D6FEB44C698BA6F04B2803FE9D10AB878A37293F22
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*.........0.......@.....@..........................................`... ..............................................................0..p...........................................p...(...................................................UPX0.....0..............................UPX1.........@......................@...UPX2................................@...4.24.UPX!.$..0.af...5........0..I../.....H..(H........M1.....}....f.9MZ...?3.uGHcA<H..8PE.8.....H.+...t...t..%.xt.v.....Y^no g......v..no.........UF..|?........8N..d8....l./o%.................Ep..:.u....w{g..]1...(.8...7L...iH..... ........>.#..D$ /...M}D.....H8.AVAUATUW..K.VS9 -..5.ae...o..%0(X.x.H..]..../.H9.t.........1....M...=..;.......$....+...u...Z......?...<....I..<..I7.*.}$>lx./...u...E.......".\t.E.. 1......v/..;......`(.-............%.t..........=..K...H......~p.L.

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\cnccli.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):11110
                                                                                  Entropy (8bit):5.353525296015494
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:jclp/RYlHauR5QIrdT4Nw2yMrKKJXsdfZrDME:tINrKKKdfZrDME
                                                                                  MD5:C53899B400E3A4C62E7553A651D6DF64
                                                                                  SHA1:A631DEB250B801559F95F8336DD6CA7BF4174B0E
                                                                                  SHA-256:091783DD1945ECA0CD73E7491058C07C906DB42FFEC49A324975581421B85BA1
                                                                                  SHA-512:E1E81BB8CF2505C8080C2B5C1F90B30E4B94A080CDDC69DC69637B76ABCA5DE1136468DFAADD57E5CF5A226F59C3DE149A6A6CBD5BA7C75ACB84CFEBD79924B9
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[D] ini_get_sec -> main..[D] ini_get_var -> main,version,40000564c2492016..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] net_init -> Ok..[I] ebus_init -> Ok..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,server_host,4d53c7a1..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,server_port,41674..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,server_timeo,15000..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,i2p_try_num,2..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,i2p_sam3_timeo,15000..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,i2p_addr,2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..[D] ini_get_sec -> cnccli..[D] ini_get_var -> cnccli,tor_try_num,2..[D] ini_

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\config.ini

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:Generic INItialization configuration [cnccli]
                                                                                  Category:dropped
                                                                                  Size (bytes):334
                                                                                  Entropy (8bit):5.093800787860546
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:1EV/RZD4ozS0MuJO+70XXIzOD7kXpTRL9gWVUDeLRqB/Q0yGJZJG1Fm:CnqoNDJO+70XXeC7kX9vgpKlqtfbJGPm
                                                                                  MD5:3862C5D4822500AFF16E8ADBB03E1212
                                                                                  SHA1:E4B2F3F2B165F794C071F0F48C07A8852228D1E2
                                                                                  SHA-256:50AAEC5D4A35B71CABCC9890A148D21B0E9A2BC9BE353E51BEB9D300698F3485
                                                                                  SHA-512:84B37F86E72ED99C8E098F52A9B051D96DCFE2E20D1B5812A4794D81817914E6C721C5E49CBD87A124F1D6EAA07DF6862DB2BB481C39E640910CA2952188FC5C
                                                                                  Malicious:false
                                                                                  Preview:[main]..version=40000564c2492016..[cnccli]..server_host=4d53c7a1..server_port=41674..server_timeo=15000..i2p_try_num=2..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..tor_addr=pv73shvxmlg5geqvbfqlcllmlml2recg4gmycydfnacnxivff4u6poad.onion..tor_port=41671..tor_try_num=2..tor_timeo=15000..

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\dwlmgr.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):2000
                                                                                  Entropy (8bit):5.685043053701108
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:i2clpc2RYlHaAyJsI1St98A8BS3uRtsI1S6Q+PQPSat0:jclp/RYlHaZNwkEstNwD+PQKg0
                                                                                  MD5:27E6E11D1665CB746FF97DD0C992F1D9
                                                                                  SHA1:80008FAF9CDECF77C8B6B3CE1297D3998F0D67DB
                                                                                  SHA-256:03A22C6753E91AA7E646B072AEE5CF8670DFFA19C772402D550079482720F500
                                                                                  SHA-512:F17D88CB7834361CD08EA00F7D5DB49E22CB55A3678B6F283AC5FF5843271BF1F3B3DCE33BB4EDFBBB3D6E6C86D721C81DB4824EF75DDCAB50FE2D8C275268DD
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[D] ini_get_sec -> main..[D] ini_get_var -> main,version,40000564c2492016..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] net_init -> Ok..[I] ebus_init -> Ok..[I] ebus_subscribe -> 0x00007ffcafba1c05..[I] tcp_connect -> 0x194,7f000007:41673..[D] ebus_dispatch -> size=97,code=DLWD,sender=-VRSCNC-,receiver=-RGMLWD-,td=664,err=00000000..[E] fs_file_read -> ERRNO(649,2)..[E] fs_file_read -> C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\schtasks/u7JAWee0A7.xml,00000003..[I] fs_path_expand -> %TEMP%,C:\Windows\TEMP,15..[I] fs_path_temp -> C:\Windows\TEMP\9TFfObIg,24..[I] tcp_connect -> 0x3e4,4d53c7a1:41676..[I] sock_close -> 0x3e4..[I] fs_file_write -> C:\Windows\TEMP\9TFfObIg,wb,1479..[I] fs_file_copy -

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\evtsrv.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):588
                                                                                  Entropy (8bit):5.289879387900699
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:i4OHHfNpcAZRYHOsHGvPCHqfboxF726L7ecMlf9OaSZWOcdO7MRO9:i4OHFpc2RYHFHcCHqfc26HecM2nZjf7L
                                                                                  MD5:DD167FEC14B8584516CA975A6702CDDE
                                                                                  SHA1:AA8E43858138B531A1668ACFF06D71C97600F9F4
                                                                                  SHA-256:96B3F9796A3ABBCE41B6D6CE7B8E166FD3748CFADD46B0619796E45463ABE574
                                                                                  SHA-512:59BA83F8C877913D6F73C45C7BBC61B35F975F0D4188AED05A3056E20447FCE7FD57F09336F571D2BFD0F6C00FF0ECBD1C13D15E807B619D79888F35C283A18D
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] net_init -> Ok..[I] server_init -> Ok..[I] tcp_listen -> 0x210,7f000007:41673..[I] tcp_accept -> 0x210,0x214,7f000001:49725..[I] tcp_accept -> 0x210,0x21c,7f000001:49726..[I] tcp_accept -> 0x210,0x22c,7f000001:49727..[I] tcp_accept -> 0x210,0x244,7f000001:49729..

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\i2pd.exe

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):10258432
                                                                                  Entropy (8bit):6.563803554569333
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:kfcCiSIv86CMpPUjdCaBfVazjr5/Ugk2Gjfxf+1Fmsn36V40unjcZRoMe8L+68u6:WWsDQGbNnlunjcZ7y5S
                                                                                  MD5:4977BDC60F812A777E9B8C71AB63E49F
                                                                                  SHA1:86149FB630CC23950CE7BF8AC96157DD92299EF5
                                                                                  SHA-256:8588972AE59509FF882357307F5C3C7B0D1E80A7CD49AFC6F2C14BE623CB947B
                                                                                  SHA-512:AFB98F93CFE0F5046A77F74277F580122F1024A218A61C6C6C5F7F23C0BD1FA3D06F771D39E9A9BD3CA8A1F5642DB547156D066DB0C9438C96F3FC66AC92CE55
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............+..q....................@.....................................a....`... ..............................................0...6........... ..................,............................Y..(....................=...............................text...`.q.......q.................`..`.data.........r.......q.............@....rodata.......r.......r.............@....rdata...U....u..V....u.............@..@.pdata....... .....................@..@.xdata..@A...@...B..................@..@.bss.....................................idata...6...0...8...J..............@....CRT....h....p......................@....tls................................@....rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\lyrebird.exe

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):8242176
                                                                                  Entropy (8bit):6.330923558030185
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:XhtRzAHLfWBHu5BPEjUhW0QSGwnCxqeZfFj39hLzp6SUROkgbRffZGM85EwVBb/z:2LjnsDSGuufjNKOkcZgEwlaUXPPx
                                                                                  MD5:731D8B8BA70489A73C7A56B891A69EF0
                                                                                  SHA1:76B144D8E8CDAC4E047F2F60D75E0D3F9A0CA781
                                                                                  SHA-256:64841D4D05C5E3438FE56671FEFB886F47E2C8C68F515392220BC0F7831C3779
                                                                                  SHA-512:68903C5205B5A699EF25A596A6C5765D312D0E6327B83D5C64E09C140E1B0D754002F8D6E058F2973620AB52A8FFAD6AC7E87AB54E9BE64AFB860EBB5BC23635
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: dld1.dd.exe, Detection: malicious, Browse
                                                                                  • Filename: pp.dd.exe, Detection: malicious, Browse
                                                                                  • Filename: dld1.dd.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........}.......".......;..Z...... .........@..........................................`... .................................................T............@...F..............>....................................................$t..............................text...f.;.......;................. ..`.rdata...~8...;...8...;.............@..@.data........ t..Z....t.............@....pdata...F...@...H...l{.............@..@.xdata................|.............@..@.idata..T.............|.............@....reloc..>.............|.............@..B.symtab...............}................B................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\main.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):7532
                                                                                  Entropy (8bit):5.700865690901051
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:wlp/RYlHaaC19sHQEsxd6os3F3asffposBLYsaUTVsstxsLJGSsaR1sD/seXs1ph:EkMdeFN/6UzSXNsK
                                                                                  MD5:CA490D2AED8574D8A79E7D133F4CE216
                                                                                  SHA1:2A127876044C27A38460B67EA9523447D5C9084C
                                                                                  SHA-256:565AB282B3E05F1B903FF7ED09AE22DE9350EB3F3DF418E9E5BB1A8BE5F84666
                                                                                  SHA-512:87A4E3267AC76342AD946C1377CBAD5CAAB94EE0A50FA170A97D3F4057A022BF2E1E299D74486F839B3EC23B9D12631D57E4F6CB9E7F7DC5001E9DA56E418DF9
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] fs_file_read -> C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\update.pkg,17674405..[I] fs_path_expand -> %TEMP%,C:\Windows\TEMP,15..[I] fs_path_temp -> C:\Windows\TEMP\SIZ5ux0k,24..[I] fs_file_write -> C:\Windows\TEMP\SIZ5ux0k,wb,4..[I] fs_file_copy -> C:\Windows\TEMP\SIZ5ux0k,C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\referrer,1..[I] fs_file_delete -> C:\Windows\TEMP\SIZ5ux0k..[I] package_unpack -> C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\update.pkg,C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\,referrer,17..[I] fs_path_temp -> C:\Windows\TEMP\3vxRh6uI,24..[I] fs_file_write -> C:\Windows\TEMP\3vxRh6

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\prgmgr.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):2753
                                                                                  Entropy (8bit):5.571957964232093
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:i/lpc2RYlHaAykSrmc0NJMc0AJnc0bZJ2wc0d30QrNoxUix:wlp/RYlHaXCV6Y9zZswV3x6xUs
                                                                                  MD5:E6F0988248BFF54C5168D2DBE5F5056A
                                                                                  SHA1:3A52518F2EE19D7BF2DFC13035A4D2E8F7F8849D
                                                                                  SHA-256:EE55304716949EA24E145E677CF13DE6BD895791503D230AAE6802990DEC6E92
                                                                                  SHA-512:03D3F581976BF21CC32502CC48D244F440B31AE1DEE21A352DB68A3BDF295CBA95DFC2A1A2612006E6A88D505E521D85FC9839B1633DB9C4D588C9C3AA48928A
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] net_init -> Ok..[I] ebus_init -> Ok..[I] ebus_subscribe -> 0x00007ffcabb05c84..[I] tcp_connect -> 0x208,7f000007:41673..[I] fs_dir_create -> C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\schtasks,0..[D] ebus_dispatch -> size=32,code=KCIT,sender=-VRSTVE-,receiver=--TSCB--,td=0,err=00000000..[D] ebus_dispatch -> size=32,code=KCIT,sender=-VRSTVE-,receiver=--TSCB--,td=0,err=00000000..[D] registry_enum_key -> 0xffffffff80000002,SOFTWARE\Clients\StartMenuInternet\,0,Firefox-308046B0AF4A39CB,24..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Clients\StartMenuInternet\Firefox-308046B0AF4A39CB\(null)..[D] ebus_publish -> sock=0x208,size=56,code=ISRB,send

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\q2G6SUHkZHBj.acl

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Q3N5HdmTIp.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):450
                                                                                  Entropy (8bit):3.17643055889664
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:ODPEEhlj/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:ODcETj/oj8i8ls0FSFgID7r
                                                                                  MD5:1701E75B3BEE86A60C93805F5F655FCE
                                                                                  SHA1:65A8E1AC730A7CA921C083FFD2A9BF7BE12C7266
                                                                                  SHA-256:DB785E82BB5CE39317D2CB482553C9DA83EAD63FC70F231A65EAC31206B2E15D
                                                                                  SHA-512:ABD847A7052A864D85A1F83E97735A1AC24255FC606CF50A0F4BBFFA807EDEE2ACC3D55AF3D4F3C926E95B80FC5A3B4A0D3D5FCE449C4FB1796BF2D0B26533DC
                                                                                  Malicious:false
                                                                                  Preview:F.o.n.t.s...{.D.2.0.E.A.4.E.1.-.3.9.5.7.-.1.1.d.2.-.A.4.0.B.-.0.C.5.0.2.0.5.2.4.1.5.2.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\referrer

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4
                                                                                  Entropy (8bit):2.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:9:9
                                                                                  MD5:006F29D8E822B9241020AEC2495EF819
                                                                                  SHA1:6510BEB08A14B6BCC74D32031C1B19AA07169CF1
                                                                                  SHA-256:69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
                                                                                  SHA-512:16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
                                                                                  Malicious:false
                                                                                  Preview:wgNj

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\samctl.log

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3988
                                                                                  Entropy (8bit):5.483455635768907
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:wlp/RYlHavInQDDIdDLDwDhDG0DSDPDLD132SDgeDqD8DVjDpDFmxDSXyDXz/Fyp:cIOIF3uZ3kr3132kt8K9BFmJSXyDXBhu
                                                                                  MD5:C465A86DDFB7C97E08DE8EA3589360EE
                                                                                  SHA1:9AEE8FC2830361D489BE13E06DFE23FF954CDA7D
                                                                                  SHA-256:218ED6425A4341A03DBC27F9737C126FFB37C2F77BDDB61E290C5D2297A87E9C
                                                                                  SHA-512:5FF6114463931B8109B0A91CD7EB0E004835F0FBD2EA1BF7CF94CA2EDC0472D80F8D9633218ED32E5E22190FABE13D17BEAE9100FF917624C7360BE7F55DE519
                                                                                  Malicious:false
                                                                                  Preview:[I] debug_init -> Ok..[I] sys_init -> sys_win_dir=C:\Windows..[D] registry_get_value -> 0xffffffff80000002,SOFTWARE\Microsoft\Cryptography\MachineGuid..[I] sys_init -> sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06..[I] sys_init -> vol_sn=7011dacf..[I] sys_init -> sys_uid=c76a8f087011dacf,sys_os_ver=10.0.19045.0.0..[I] net_init -> Ok..[I] sam_init -> Ok..[I] ebus_init -> Ok..[I] ebus_subscribe -> 0x00007ffcac51d1e2..[I] tcp_connect -> 0x1bc,7f000007:41673..[D] users_sync -> Administrator:S-1-5-21-2246122658-3693405117-2476756634-500..[D] users_sync -> DefaultAccount:S-1-5-21-2246122658-3693405117-2476756634-503..[D] users_sync -> Guest:S-1-5-21-2246122658-3693405117-2476756634-501..[D] users_sync -> user:S-1-5-21-2246122658-3693405117-2476756634-1002..[D] users_sync -> WDAGUtilityAccount:S-1-5-21-2246122658-3693405117-2476756634-504..[I] users_sync -> 5..[D] ebus_dispatch -> size=32,code=KCIT,sender=-VRSTVE-,receiver=--TSCB--,td=0,err=00000000..[D] groups_sync -> Access Control As

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\schtasks\u7JAWee0A7.xml

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):1479
                                                                                  Entropy (8bit):4.931501975012779
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2di4+SKgpzygp5mMBIn0QKMhEMOF5pwOzNLU3ODOiTQRvh7hwrgXuI:cgEc0QFdOFQOzNI3ODOiQdKrsuI
                                                                                  MD5:A850408E8BF762BDBC84E09083C3DE3A
                                                                                  SHA1:EE6CD4C1703299B76332F38BFDBA14D86394526E
                                                                                  SHA-256:C9E9C19449C7EDDD0436A60BFBA88494E3ABB89BA68FFD2E95E0E43024308D6C
                                                                                  SHA-512:077D99E1E599B75EB6DD9F55D43F63B2139B2BE4E0C4CDBC97524738124406636E255A58397A92DDA6CC786DC9E9B0130223C2AA1076C2860D7EE0DA78AE001A
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <Triggers>. <LogonTrigger>. <Repetition>. <Interval>PT10M</Interval>. <StopAtDurationEnd>false</StopAtDurationEnd>. </Repetition>. <Enabled>true</Enabled>. </LogonTrigger>. <RegistrationTrigger>. <Repetition>. <Interval>PT10M</Interval>. <StopAtDurationEnd>false</StopAtDurationEnd>. </Repetition>. <Enabled>true</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <RunLevel>LeastPrivilege</RunLevel>. <GroupId>S-1-5-32-545</GroupId>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>false</Sta

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\cached-certs (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):20852
                                                                                  Entropy (8bit):6.051555846388522
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:o1thO4nVNy1h8LHMY4oEtVIb1h/U/52q4VVzS1hpviWYL/4rq8Vlr1hQUSbkM186:cjOmTyubREtYjoUUdaWYzw/5kOGlPhiq
                                                                                  MD5:CD21D87BC93A79C8A6001EFE076F76B9
                                                                                  SHA1:902232CA43491CEB999B1DAED69265CEEB9E6EF3
                                                                                  SHA-256:93A6025B2B4A269D15C4149ED50442BFA7E35EAA7463BC2143F100B6BE92DCD7
                                                                                  SHA-512:D77204F413A5281B8A5B05BBBE83B215AD604CF918A0AC11C23EC652925F07AE24A507F62D63D8344F47A000E2122FB70621FF9D113F607F3AD60FDBF4B575FB
                                                                                  Malicious:false
                                                                                  Preview:dir-key-certificate-version 3..fingerprint F533C81CEF0BC0267857C99B2F471ADF249FA232..dir-key-published 2024-05-09 05:10:14..dir-key-expires 2025-05-09 05:10:14..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEA26vma35pBGlxbq19BQvjxF0+e54AsnGL31+DUdfDYhwK5Pb0Pj0E..riYH63W/rGeZr/aevtp4VjMT6WDMhc+hu4WHitX08tTm9iuUinAAG/7zqi3MOmuq..aS7/hs7smKJsUSQhT47b60DUl7FwQcfGepk5ssz/Q4gppPEJd4gu6hlukfdQPSZS../m56Q6YDF/ZjbQCzL4+RnXhY+pyAonPKxxdSic0J6Zjz43dPyzrz5TOmhVOc5oaI..DeY1/kA6FbIMprieHgU2k6kvYsCPcHtQlndoga4JVwfXoZ7RsmFfHvhqMFRGWg+p..CkPiF8waM7d7mr05qw96MPZB5MJtcFlbta2QNOQL/avg7ji6Tegpi9ou8zYzaLFW..VFs6cqe875TdCtCxhTNcjYxYXxaVJyz4Q7F41Os2POCka6cKNhe94VLt4/+5kQKf..fsj8shzenxoffMasmIzHYOI5ZX3pPrOGajKbkjufl1jf6mQ+T5jiTfCSQHGtajFC..fSbDUgA3LbnzAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAxdxGFs4GVYjcpMmnJehmi4BmY//UNYyFEGLh8UJieiB8y5IOZ/31..jXBF6+ip9OyVwMiPUxBvCUiKRT1qU7zisOJ3kqeYi4Lrz2WJR40n0a5c8nHhALzJ..tGCSi8Ugx7kk1z1utnprrGyT1ahZ

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\cached-certs.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):20852
                                                                                  Entropy (8bit):6.051555846388522
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:o1thO4nVNy1h8LHMY4oEtVIb1h/U/52q4VVzS1hpviWYL/4rq8Vlr1hQUSbkM186:cjOmTyubREtYjoUUdaWYzw/5kOGlPhiq
                                                                                  MD5:CD21D87BC93A79C8A6001EFE076F76B9
                                                                                  SHA1:902232CA43491CEB999B1DAED69265CEEB9E6EF3
                                                                                  SHA-256:93A6025B2B4A269D15C4149ED50442BFA7E35EAA7463BC2143F100B6BE92DCD7
                                                                                  SHA-512:D77204F413A5281B8A5B05BBBE83B215AD604CF918A0AC11C23EC652925F07AE24A507F62D63D8344F47A000E2122FB70621FF9D113F607F3AD60FDBF4B575FB
                                                                                  Malicious:false
                                                                                  Preview:dir-key-certificate-version 3..fingerprint F533C81CEF0BC0267857C99B2F471ADF249FA232..dir-key-published 2024-05-09 05:10:14..dir-key-expires 2025-05-09 05:10:14..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEA26vma35pBGlxbq19BQvjxF0+e54AsnGL31+DUdfDYhwK5Pb0Pj0E..riYH63W/rGeZr/aevtp4VjMT6WDMhc+hu4WHitX08tTm9iuUinAAG/7zqi3MOmuq..aS7/hs7smKJsUSQhT47b60DUl7FwQcfGepk5ssz/Q4gppPEJd4gu6hlukfdQPSZS../m56Q6YDF/ZjbQCzL4+RnXhY+pyAonPKxxdSic0J6Zjz43dPyzrz5TOmhVOc5oaI..DeY1/kA6FbIMprieHgU2k6kvYsCPcHtQlndoga4JVwfXoZ7RsmFfHvhqMFRGWg+p..CkPiF8waM7d7mr05qw96MPZB5MJtcFlbta2QNOQL/avg7ji6Tegpi9ou8zYzaLFW..VFs6cqe875TdCtCxhTNcjYxYXxaVJyz4Q7F41Os2POCka6cKNhe94VLt4/+5kQKf..fsj8shzenxoffMasmIzHYOI5ZX3pPrOGajKbkjufl1jf6mQ+T5jiTfCSQHGtajFC..fSbDUgA3LbnzAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAxdxGFs4GVYjcpMmnJehmi4BmY//UNYyFEGLh8UJieiB8y5IOZ/31..jXBF6+ip9OyVwMiPUxBvCUiKRT1qU7zisOJ3kqeYi4Lrz2WJR40n0a5c8nHhALzJ..tGCSi8Ugx7kk1z1utnprrGyT1ahZ

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\cached-microdesc-consensus (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with very long lines (1119)
                                                                                  Category:dropped
                                                                                  Size (bytes):3279425
                                                                                  Entropy (8bit):5.610320565243548
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XOJDwpaDyxieEnmFvpFJ7A6pCPmlIddsBndcozUmrUgvleqnQb3/nsDM:XO1462rEmFvlmZGzRrtteF/nr
                                                                                  MD5:E5F9E2AFC55CA105DA36AC57C7C6C8A4
                                                                                  SHA1:603EC20AF631F939146DAE8648463A5917715509
                                                                                  SHA-256:C9711FC0F2AFA5DE7540A1CC29748D135EB594A4B4DF81EBBCC219B632ABD0BD
                                                                                  SHA-512:746800DACCC54A8AA6E5B75C7343EF83D0F5118208E698842481D24C3E0E8BCE5166EE99B63AB1C88E08A929FBB0E577FFE3E2D79130D4351DE17B6BB234217B
                                                                                  Malicious:false
                                                                                  Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2025-03-17 08:00:00.fresh-until 2025-03-17 09:00:00.valid-until 2025-03-17 11:00:00.voting-delay 300 300.client-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.server-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPe

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\cached-microdesc-consensus.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with very long lines (1119)
                                                                                  Category:dropped
                                                                                  Size (bytes):3279425
                                                                                  Entropy (8bit):5.610320565243548
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XOJDwpaDyxieEnmFvpFJ7A6pCPmlIddsBndcozUmrUgvleqnQb3/nsDM:XO1462rEmFvlmZGzRrtteF/nr
                                                                                  MD5:E5F9E2AFC55CA105DA36AC57C7C6C8A4
                                                                                  SHA1:603EC20AF631F939146DAE8648463A5917715509
                                                                                  SHA-256:C9711FC0F2AFA5DE7540A1CC29748D135EB594A4B4DF81EBBCC219B632ABD0BD
                                                                                  SHA-512:746800DACCC54A8AA6E5B75C7343EF83D0F5118208E698842481D24C3E0E8BCE5166EE99B63AB1C88E08A929FBB0E577FFE3E2D79130D4351DE17B6BB234217B
                                                                                  Malicious:false
                                                                                  Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2025-03-17 08:00:00.fresh-until 2025-03-17 09:00:00.valid-until 2025-03-17 11:00:00.voting-delay 300 300.client-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.server-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPe

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\cached-microdescs.new

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with very long lines (10800)
                                                                                  Category:modified
                                                                                  Size (bytes):21658816
                                                                                  Entropy (8bit):4.766205503640465
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:TVMEFk+FFBgSBkrJpDZOIwC6ECXxxBzChKBdpbPB9cbJpvgtcfEjxHnyubFNUV5s:XNjxPRAre6LtSI+0Ey4hk4JIS
                                                                                  MD5:FE3311A744D7CD2647B6DAADABD2825A
                                                                                  SHA1:C2264237F0F9D1D6E1B51A13F618850AB6946173
                                                                                  SHA-256:B6BC8E82272D5A6BA7A400324F7D78EAAFD55AA0E6314C351DC3AAA39CE12CC6
                                                                                  SHA-512:B6EFE57053F8DF7955E1EE37395CF07DFABB47FC57E8E0D22F7EA41A07AD3CB6AAA6F390D5130B2400D4F26A52C9DA79615C55767C0D0A06B22841BE9B27278D
                                                                                  Malicious:false
                                                                                  Preview:@last-listed 2025-03-17 08:39:22.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBAJbQEaoi48/DyYPSo0Mg5nwdUdL9iGNbybOwRbZMYTGvIWPi+ikUHlnH.q6ICfNTEkKRKGCS6atyLXg0Q3fclw2HlkPYR0rWuIQDGBm0qwvH00ihryuI0Q3sm.xgnMEIeN6uOxgDw0MiR6YYM7kdhbmcCsY/JEgU2/6QHlXh0EML09AgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key ZBtMptsZuBPBX9t/hcwBbVFQ3DaHcUxh7hMDS9TFBXI.family $042944E139508E6A8495AA1F6F320D1087D84930 $05A48DCB220236FCCA21B432C3D4A1FCE8AFCEEB $0DC16FEAA5A5E27A974009CBF7748BB6FAAE6DE1 $11C7F8EEEE7445618DD7DE562F7D1218B5DB4B2E $16D3252B519861248FDEABE05A6F3B97BC510557 $16E09CB06617A7215885B6C7C8436B1F8D07960F $196C05BF08CC248EE563B49D36CAC89793AFBC5E $324053C8A296BF31A4A908CB407545DA92DF32F8 $37C984BB069C29573FB8F9F6C610DC14763B5305 $42E817BE07AB39CA3BD7A442AF08E007FF2E3F5B $44D1929690CF1DEF95C5D1F4F66281CF18311618 $47EC4211A4A66768224BC18912AF8FB6E880003C $4A39E7D2C121F664CFD9B5DF80CE9E70BB8B3C16 $4B8F0F8BB18F1D9ADC1FE7E54B3D3D605C1919A7 $4F0C498701A41F4D9CA677EA763FD8CA45348E97 $5409FECC2

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\state (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3476
                                                                                  Entropy (8bit):5.31454230931648
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cJmc5IPREIPH1/vzjhuTflI+2j0YUKXOA1ltEAo0p:imc6mI/ZzjYDlZlYUmq0p
                                                                                  MD5:3A19C56638AE7D526554B0AAE007DB83
                                                                                  SHA1:81B24B0C7D16FFA037146513EBB3F68D5C66509F
                                                                                  SHA-256:6C04F97E6D51390431CFA349F1FC4A40E17F85720274A39B37EBCE20C2603023
                                                                                  SHA-512:AA50251DBA94B07195603318CD18072C4B3BB300FBF2E9FED58A6E048F0884D57116128AB12A8EE85E648B1A8BBB5147A8E491712485F1F739CDE2F946854EBF
                                                                                  Malicious:false
                                                                                  Preview:# Tor state file last generated on 2025-03-17 04:39:49 local time..# Other times below are in UTC..# You *do not* need to edit this file.....Dormant 0..Guard in=default rsa_id=9278662F9BFEF6B271301A93B9A13FF419446D70 nickname=kolne59 sampled_on=2025-03-15T05:17:22 sampled_idx=0 sampled_by=0.4.8.14 listed=1 confirmed_on=2025-03-09T23:44:40 confirmed_idx=0..Guard in=default rsa_id=F9246DEF2B653807236DA134F2AEAB103D58ABFE nickname=Freebird31 sampled_on=2025-03-12T09:46:20 sampled_idx=1 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=5B7A7720F84441F7BABE6C6CE8347C56DC4D6569 nickname=onionXR sampled_on=2025-03-10T10:14:20 sampled_idx=2 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=2337B732226D81DB3E59992B0A323C90429606DC nickname=book sampled_on=2025-03-15T09:45:34 sampled_idx=3 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=42B4F52C5B11E4D39855F654955425B0D5A0598B nickname=ENiGMA sampled_on=2025-03-14T05:14:26 sampled_idx=4 sampled_by=0.4.8.14 listed=1..Guard in=defaul

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\state.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3476
                                                                                  Entropy (8bit):5.31454230931648
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cJmc5IPREIPH1/vzjhuTflI+2j0YUKXOA1ltEAo0p:imc6mI/ZzjYDlZlYUmq0p
                                                                                  MD5:3A19C56638AE7D526554B0AAE007DB83
                                                                                  SHA1:81B24B0C7D16FFA037146513EBB3F68D5C66509F
                                                                                  SHA-256:6C04F97E6D51390431CFA349F1FC4A40E17F85720274A39B37EBCE20C2603023
                                                                                  SHA-512:AA50251DBA94B07195603318CD18072C4B3BB300FBF2E9FED58A6E048F0884D57116128AB12A8EE85E648B1A8BBB5147A8E491712485F1F739CDE2F946854EBF
                                                                                  Malicious:false
                                                                                  Preview:# Tor state file last generated on 2025-03-17 04:39:49 local time..# Other times below are in UTC..# You *do not* need to edit this file.....Dormant 0..Guard in=default rsa_id=9278662F9BFEF6B271301A93B9A13FF419446D70 nickname=kolne59 sampled_on=2025-03-15T05:17:22 sampled_idx=0 sampled_by=0.4.8.14 listed=1 confirmed_on=2025-03-09T23:44:40 confirmed_idx=0..Guard in=default rsa_id=F9246DEF2B653807236DA134F2AEAB103D58ABFE nickname=Freebird31 sampled_on=2025-03-12T09:46:20 sampled_idx=1 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=5B7A7720F84441F7BABE6C6CE8347C56DC4D6569 nickname=onionXR sampled_on=2025-03-10T10:14:20 sampled_idx=2 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=2337B732226D81DB3E59992B0A323C90429606DC nickname=book sampled_on=2025-03-15T09:45:34 sampled_idx=3 sampled_by=0.4.8.14 listed=1..Guard in=default rsa_id=42B4F52C5B11E4D39855F654955425B0D5A0598B nickname=ENiGMA sampled_on=2025-03-14T05:14:26 sampled_idx=4 sampled_by=0.4.8.14 listed=1..Guard in=defaul

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\unverified-microdesc-consensus (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with very long lines (1119)
                                                                                  Category:dropped
                                                                                  Size (bytes):3279425
                                                                                  Entropy (8bit):5.610320565243548
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XOJDwpaDyxieEnmFvpFJ7A6pCPmlIddsBndcozUmrUgvleqnQb3/nsDM:XO1462rEmFvlmZGzRrtteF/nr
                                                                                  MD5:E5F9E2AFC55CA105DA36AC57C7C6C8A4
                                                                                  SHA1:603EC20AF631F939146DAE8648463A5917715509
                                                                                  SHA-256:C9711FC0F2AFA5DE7540A1CC29748D135EB594A4B4DF81EBBCC219B632ABD0BD
                                                                                  SHA-512:746800DACCC54A8AA6E5B75C7343EF83D0F5118208E698842481D24C3E0E8BCE5166EE99B63AB1C88E08A929FBB0E577FFE3E2D79130D4351DE17B6BB234217B
                                                                                  Malicious:false
                                                                                  Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2025-03-17 08:00:00.fresh-until 2025-03-17 09:00:00.valid-until 2025-03-17 11:00:00.voting-delay 300 300.client-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.server-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPe

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor-data\unverified-microdesc-consensus.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe
                                                                                  File Type:ASCII text, with very long lines (1119)
                                                                                  Category:dropped
                                                                                  Size (bytes):3279425
                                                                                  Entropy (8bit):5.610320565243548
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XOJDwpaDyxieEnmFvpFJ7A6pCPmlIddsBndcozUmrUgvleqnQb3/nsDM:XO1462rEmFvlmZGzRrtteF/nr
                                                                                  MD5:E5F9E2AFC55CA105DA36AC57C7C6C8A4
                                                                                  SHA1:603EC20AF631F939146DAE8648463A5917715509
                                                                                  SHA-256:C9711FC0F2AFA5DE7540A1CC29748D135EB594A4B4DF81EBBCC219B632ABD0BD
                                                                                  SHA-512:746800DACCC54A8AA6E5B75C7343EF83D0F5118208E698842481D24C3E0E8BCE5166EE99B63AB1C88E08A929FBB0E577FFE3E2D79130D4351DE17B6BB234217B
                                                                                  Malicious:false
                                                                                  Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2025-03-17 08:00:00.fresh-until 2025-03-17 09:00:00.valid-until 2025-03-17 11:00:00.voting-delay 300 300.client-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.server-versions 0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10,0.4.8.11,0.4.8.12,0.4.8.13,0.4.8.14,0.4.9.1-alpha.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPe

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.exe

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):8978432
                                                                                  Entropy (8bit):6.237058847071577
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:oUFT5nDjJeCCW1oC0OrU/E+mcT7f4YRi113MLWw57l9GkPM8:fT5XJoWiC0/ECQYk13MOk
                                                                                  MD5:35FE245CD1A7FD3D7BA014F062C625FF
                                                                                  SHA1:53707D985DF4F0F662DE3C0B5569894C18838C3B
                                                                                  SHA-256:02282AB31D10E230F545E67F3B4C1A9A67362BEDBF7FE5ED7DE7D1FCD1E45D12
                                                                                  SHA-512:B0299486A19FC19F52C0BBE044CEE40046CA14EACDF12DD343C56E687F33DA8B50735620D2183F05030FFAB1BC1DD1437718C625910748F6BABA0EB73AB69C3A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d................."......<l.........P..........@..........................................`..................................................................0............... .......P......................@Ql.(...................8................................text...F;l......<l................. ..`.rdata.......Pl......@l.............@..@.buildid5....P.......4..............@..@.data...\....`...6...6..............@....pdata.......0.......l..............@..@.tls.................L..............@....reloc....... .......N..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\tor.rc

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):172
                                                                                  Entropy (8bit):4.862477824090626
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:0rMRQcUlMCF+RMGTy/hWAi+28hwHnc5CFmJBLRxUtDekjW6dVV9SH3AF0NKP8AAu:CMRQDMC4m/cAi+ZhwHc5C2LXynjW2EXA
                                                                                  MD5:9C4ABA76A21EC56AF14901E5E6FB5806
                                                                                  SHA1:D403E89F6FDCFC6755119ADB4984DB59DC4CBAFE
                                                                                  SHA-256:848D88DE5D3BCA8B205AB3976FE6CAA879FA765EEC6E9AD6347E829980D6CA89
                                                                                  SHA-512:D37E67EEC4023F37D00102EE124335D2928902CDA7B679CEED84F1B65F76067B5D4C57246107501BC5E1250EFB325E70456BAD04D0E7597DAB585CFE2473A440
                                                                                  Malicious:true
                                                                                  Preview:SOCKSPort 127.0.0.2:19191.Log notice stderr.DataDirectory ./tor-data.UseBridges 0.ClientTransportPlugin obfs4 exec ./lyrebird.exe.# bridge placeholder.# bridge placeholder.

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\un4VX4OUvi.dll

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):87040
                                                                                  Entropy (8bit):6.26215847596413
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:E6rerNzBRK1CSSadppQ7ylVdsGXo9g3A+LQ86S3k3QGA+/7NH9N:Ldw+lGL8/S5/pHD
                                                                                  MD5:7AC7A2A88B35F1DC94F20B5BE18884C8
                                                                                  SHA1:41569FCD1E107190683A3AEE86AABCF23318B65F
                                                                                  SHA-256:05BB86796811A199F12CFFAD43DEA156145828F54BEF51D170E6B891BA5FC1C1
                                                                                  SHA-512:515476FED99B5C6B255F3073BFE79135C08706290D8086F28B997672B131135A97435419ABAED6B8FB9BE0F12589BA0BD8FF3D6D1DED2AE19452545B8E00B5E3
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....P......Y.........F...........................................`... .........................................a....................P..H...............l...........................@9..(....................................................text...............................`..`.data...@...........................@....rdata.. ....0......................@..@.pdata..H....P.......0..............@..@.xdata.......`.......:..............@..@.bss.... ....p...........................edata..a............D..............@..@.idata...............F..............@....CRT....X............N..............@....tls.................P..............@....reloc..l............R..............@..B........................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unTLh7hyYP.dll

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):88576
                                                                                  Entropy (8bit):6.250574445104782
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:98I4me46n2IFwCQ0AzWtLloJgN7o2L5uf37kt4mcED9zC0DLaMRSPTp2eH9n:qPmcZhVuAIIaWSP4eH9n
                                                                                  MD5:AC12B0395E1F6A2133C85B8513F15244
                                                                                  SHA1:C6C9426409561321DA91DC6B0E52CB65656797F4
                                                                                  SHA-256:C49187FD90FF52C7F92861757F1072CBF55E654C333B828E4243883FF90AA1E4
                                                                                  SHA-512:5CD562E3A087712FCDE1DC36E618F1247CEC6FD29C059A03F0D3B400662679A64BA30F7C09B04099404E4F5B3E21D7A051E08EAE1CD0677BC32E128EC3AAA2F3
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....V......Y..........;.....................................I....`... .........................................a....................P..l...............h...........................`9..(....................................................text...............................`..`.data... ...........................@....rdata..@....0......................@..@.pdata..l....P.......4..............@..@.xdata..@....`.......>..............@..@.bss....@....p...........................edata..a............J..............@..@.idata...............L..............@....CRT....X............T..............@....tls.................V..............@....reloc..h............X..............@..B........................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unUHHarNb4.dll

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):77824
                                                                                  Entropy (8bit):6.26574119762464
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:QqV1umVZKfr8J/w167ZlkCxYwAWYukcvPr5+EO39r4wy8/QEkGDsFzrf3Gjt2t:b/XkCiQYvr54i/DkGDsNfU0
                                                                                  MD5:B0B755C4D0E3AA0A93C723365E66A478
                                                                                  SHA1:F8372A3FEE01F1093B6DECB7CC1DFC23D451F5F4
                                                                                  SHA-256:D74ACBF872E10C5C79D20DC5FBF2A74B5D4CA01ACDCD6308D9FEBC53C09FC39F
                                                                                  SHA-512:4ECCC0B3F119D2FEA04040FA6ED80661E86341BBF32F02FFD28354487AA8FB0E98D1D99BD2856C248E58720EAE45CC3431DFC7BACBDD7D2D642E895F1DE997DF
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....,......Y.....................................................`... ......................................p..a....................0..................h...............................(....................................................text...............................`..`.data...`...........................@....rdata..............................@..@.pdata.......0......................@..@.xdata..8....@......................@..@.bss.........P...........................edata..a....p....... ..............@..@.idata..............."..............@....CRT....X............*..............@....tls.................,..............@....reloc..h...........................@..B........................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unfwt7ILja.dll

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\TbQwNs1NS7.exe
                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95232
                                                                                  Entropy (8bit):6.202655361914829
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:O84dmmSG/haWTSL5EtM+og9Yx5mva/yAjG89DXlaOqMFZezPbQhMQC0bzRt:Ody5/31N/BlcjQhMQ
                                                                                  MD5:407DD067A3F87759416724EA604BADEF
                                                                                  SHA1:13D5D2B352F14736924595AF5EBDA89901F130D4
                                                                                  SHA-256:B4307170FB3EBCB8BBA1EE3A05D0548F5C092F3154E3BE22D4B11285368E84AE
                                                                                  SHA-512:D4FB9BC63E2195C2ABE1EC77EB46D6049888E22493BA69E741764896DA03A2E1EF6DE60898CF0ADA95D949ED20AA79791B82B2FD845FCE03B1B3EF068BA765A7
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....p......Y..........m....................................P.....`... .........................................a.......$............p..,...............p...........................`Z..(...................(................................text...h...........................`..`.data...@....0......................@....rdata..`....P.......2..............@..@.pdata..,....p.......J..............@..@.xdata...............V..............@..@.bss.....................................edata..a............b..............@..@.idata..$............d..............@....CRT....X............n..............@....tls.................p..............@....reloc..p............r..............@..B........................................................................................................................................................................

                                                                                  C:\Users\Public\Fonts.{D20EA4E1-3957-11d2-A40B-0C5020524152}\unol2WsrLx.dll