Edit tour

Windows Analysis Report
1 (325).exe

Overview

General Information

Sample name:	1 (325).exe
Analysis ID:	1646673
MD5:	6ec3670524d99cecd05f314bb9dc8000
SHA1:	a09af51d2c58f957eb65a120e5dc611ad9baedd3
SHA256:	40833a25c278f835625a763fa5890f7e464115e1e828bb2d19f5fb4c326fe139
Tags:	exeGenericMalwareMulti-Platformuser-malwhere
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Changes autostart functionality of drives

Changes the view of files in windows explorer (hidden files and folders)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autorun.inf (USB autostart)

Creates multiple autostart registry keys

Deletes keys related to Windows Defender

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Disables Windows Defender (deletes autostart)

Disables the Windows registry editor (regedit)

Disables user account control notifications

Drops executables to the windows directory (C:\Windows) and starts them

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Joe Sandbox ML detected suspicious sample

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Connects to many different domains

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1 (325).exe (PID: 8648 cmdline: "C:\Users\user\Desktop\1 (325).exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 8728 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe*" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

xcntwhk.exe (PID: 8988 cmdline: "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe" MD5: FCF54958844053BF3D98F6ABED4C0E38)

xcntwhk.exe (PID: 9004 cmdline: "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe" MD5: FCF54958844053BF3D98F6ABED4C0E38)

vynygujmbmu.exe (PID: 3232 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 984 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 8736 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 6888 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 9208 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 3308 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

vynygujmbmu.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe" MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

wketfzlduiemgwjc.exe (PID: 8472 cmdline: "C:\Windows\wketfzlduiemgwjc.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\wketfzlduiemgwjc.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

zsrlcbsplefsrmecxqpja.exe (PID: 7120 cmdline: "C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 7080 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\zsrlcbsplefsrmecxqpja.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

kcatjhxtoggsqkbyskib.exe (PID: 6720 cmdline: "C:\Windows\kcatjhxtoggsqkbyskib.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 8480 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\kcatjhxtoggsqkbyskib.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

xoldspeztkjurkawpgd.exe (PID: 8640 cmdline: "C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 808 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\xoldspeztkjurkawpgd.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

zsrlcbsplefsrmecxqpja.exe (PID: 1188 cmdline: "C:\Windows\zsrlcbsplefsrmecxqpja.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

wketfzlduiemgwjc.exe (PID: 2212 cmdline: "C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

xoldspeztkjurkawpgd.exe (PID: 5928 cmdline: "C:\Windows\xoldspeztkjurkawpgd.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

xoldspeztkjurkawpgd.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

mcypdznhaqoyumbwoe.exe (PID: 4996 cmdline: "C:\Windows\mcypdznhaqoyumbwoe.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 4856 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\mcypdznhaqoyumbwoe.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

dsndqlyrjyvezqeyp.exe (PID: 8984 cmdline: "C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe" . MD5: 6EC3670524D99CECD05F314BB9DC8000)

vynygujmbmu.exe (PID: 1888 cmdline: "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\dsndqlyrjyvezqeyp.exe*." MD5: 41DF81AFF42D8E6E4B41284FFA00709D)

zsrlcbsplefsrmecxqpja.exe (PID: 6740 cmdline: "C:\Windows\zsrlcbsplefsrmecxqpja.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

dsndqlyrjyvezqeyp.exe (PID: 1496 cmdline: "C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe" MD5: 6EC3670524D99CECD05F314BB9DC8000)

cleanup

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe, ProcessId: 8728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oyozhxftgqim

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: xoldspeztkjurkawpgd.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe, ProcessId: 8728, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oasfphrhwiciao

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mcypdznhaqoyumbwoe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe, ProcessId: 8728, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oyozhxftgqim

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:07:30.244207+0100	2018141	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.5	49755	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:07:30.244207+0100	2037771	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.5	49755	TCP

ET MALWARE Win32/Pykspa.C Public IP Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:06:53.181094+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49723	172.66.40.87	80	TCP
2025-03-24T08:06:55.120821+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49724	104.19.222.79	80	TCP
2025-03-24T08:06:56.461262+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49727	172.67.155.175	80	TCP
2025-03-24T08:07:00.104468+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49733	172.66.40.87	80	TCP
2025-03-24T08:07:01.370043+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49734	104.19.222.79	80	TCP
2025-03-24T08:07:02.600154+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49735	172.67.155.175	80	TCP
2025-03-24T08:07:03.844825+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49736	172.67.155.175	80	TCP
2025-03-24T08:07:06.187608+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49738	104.19.222.79	80	TCP
2025-03-24T08:07:07.470983+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49739	172.67.155.175	80	TCP
2025-03-24T08:07:11.727102+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49740	104.19.222.79	80	TCP
2025-03-24T08:07:14.098111+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49742	104.19.222.79	80	TCP
2025-03-24T08:07:15.497019+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49743	172.67.155.175	80	TCP
2025-03-24T08:07:18.095660+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49745	172.66.40.87	80	TCP
2025-03-24T08:07:21.569894+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49748	172.66.40.87	80	TCP
2025-03-24T08:07:33.672380+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49763	104.19.222.79	80	TCP
2025-03-24T08:07:36.140976+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49765	172.67.155.175	80	TCP
2025-03-24T08:07:37.364352+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49766	172.67.155.175	80	TCP
2025-03-24T08:07:38.627624+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49767	104.19.222.79	80	TCP
2025-03-24T08:07:39.915473+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49771	172.66.40.87	80	TCP
2025-03-24T08:07:41.146724+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49772	172.66.40.87	80	TCP
2025-03-24T08:07:44.581445+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49776	172.67.155.175	80	TCP
2025-03-24T08:07:45.833642+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49778	172.66.40.87	80	TCP
2025-03-24T08:07:49.255647+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49782	172.66.40.87	80	TCP
2025-03-24T08:07:50.581604+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49783	172.66.40.87	80	TCP
2025-03-24T08:07:52.953700+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49787	172.66.40.87	80	TCP
2025-03-24T08:08:02.368918+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49797	104.19.222.79	80	TCP
2025-03-24T08:08:03.597535+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49799	104.19.222.79	80	TCP
2025-03-24T08:08:05.861398+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49802	172.66.40.87	80	TCP
2025-03-24T08:08:07.093798+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49803	104.19.222.79	80	TCP
2025-03-24T08:08:08.323435+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49805	172.66.40.87	80	TCP
2025-03-24T08:08:09.551830+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49806	172.66.40.87	80	TCP
2025-03-24T08:08:10.877331+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49808	172.66.40.87	80	TCP
2025-03-24T08:08:14.414208+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49812	172.66.40.87	80	TCP
2025-03-24T08:08:15.647847+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49814	172.66.40.87	80	TCP
2025-03-24T08:08:16.900257+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49815	104.19.222.79	80	TCP
2025-03-24T08:08:18.129930+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49817	104.19.222.79	80	TCP
2025-03-24T08:08:19.366813+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49819	172.66.40.87	80	TCP
2025-03-24T08:08:20.729064+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49820	172.67.155.175	80	TCP
2025-03-24T08:08:24.592622+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49826	172.66.40.87	80	TCP
2025-03-24T08:08:25.816984+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49827	172.67.155.175	80	TCP
2025-03-24T08:08:28.091312+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49830	172.66.40.87	80	TCP
2025-03-24T08:08:29.385435+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49831	172.66.40.87	80	TCP
2025-03-24T08:08:30.618500+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49833	104.19.222.79	80	TCP
2025-03-24T08:08:31.848597+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49835	104.19.222.79	80	TCP
2025-03-24T08:08:33.069021+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49836	172.66.40.87	80	TCP
2025-03-24T08:08:34.373252+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49837	104.19.222.79	80	TCP
2025-03-24T08:08:36.747699+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49841	104.19.222.79	80	TCP
2025-03-24T08:08:37.980154+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49842	172.67.155.175	80	TCP
2025-03-24T08:08:39.207759+0100	2018773	1	A Network Trojan was detected	192.168.2.5	49844	172.67.155.175	80	TCP

ETPRO MALWARE Common Downloader Header Pattern General HAUC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:06:53.181094+0100	2803307	3	Unknown Traffic	192.168.2.5	49723	172.66.40.87	80	TCP
2025-03-24T08:06:55.120821+0100	2803307	3	Unknown Traffic	192.168.2.5	49724	104.19.222.79	80	TCP
2025-03-24T08:06:56.461262+0100	2803307	3	Unknown Traffic	192.168.2.5	49727	172.67.155.175	80	TCP
2025-03-24T08:07:00.104468+0100	2803307	3	Unknown Traffic	192.168.2.5	49733	172.66.40.87	80	TCP
2025-03-24T08:07:01.370043+0100	2803307	3	Unknown Traffic	192.168.2.5	49734	104.19.222.79	80	TCP
2025-03-24T08:07:02.600154+0100	2803307	3	Unknown Traffic	192.168.2.5	49735	172.67.155.175	80	TCP
2025-03-24T08:07:03.844825+0100	2803307	3	Unknown Traffic	192.168.2.5	49736	172.67.155.175	80	TCP
2025-03-24T08:07:06.187608+0100	2803307	3	Unknown Traffic	192.168.2.5	49738	104.19.222.79	80	TCP
2025-03-24T08:07:07.470983+0100	2803307	3	Unknown Traffic	192.168.2.5	49739	172.67.155.175	80	TCP
2025-03-24T08:07:11.727102+0100	2803307	3	Unknown Traffic	192.168.2.5	49740	104.19.222.79	80	TCP
2025-03-24T08:07:14.098111+0100	2803307	3	Unknown Traffic	192.168.2.5	49742	104.19.222.79	80	TCP
2025-03-24T08:07:15.497019+0100	2803307	3	Unknown Traffic	192.168.2.5	49743	172.67.155.175	80	TCP
2025-03-24T08:07:18.095660+0100	2803307	3	Unknown Traffic	192.168.2.5	49745	172.66.40.87	80	TCP
2025-03-24T08:07:21.569894+0100	2803307	3	Unknown Traffic	192.168.2.5	49748	172.66.40.87	80	TCP
2025-03-24T08:07:22.882096+0100	2803307	3	Unknown Traffic	192.168.2.5	49749	208.80.154.224	80	TCP
2025-03-24T08:07:26.170625+0100	2803307	3	Unknown Traffic	192.168.2.5	49751	69.147.82.60	80	TCP
2025-03-24T08:07:26.585094+0100	2803307	3	Unknown Traffic	192.168.2.5	49753	208.80.154.224	80	TCP
2025-03-24T08:07:28.391683+0100	2803307	3	Unknown Traffic	192.168.2.5	49754	85.214.228.140	80	TCP
2025-03-24T08:07:29.647490+0100	2803307	3	Unknown Traffic	192.168.2.5	49755	13.213.51.196	80	TCP
2025-03-24T08:07:30.099689+0100	2803307	3	Unknown Traffic	192.168.2.5	49756	142.251.40.105	80	TCP
2025-03-24T08:07:31.761501+0100	2803307	3	Unknown Traffic	192.168.2.5	49759	104.156.155.94	80	TCP
2025-03-24T08:07:33.672380+0100	2803307	3	Unknown Traffic	192.168.2.5	49763	104.19.222.79	80	TCP
2025-03-24T08:07:36.140976+0100	2803307	3	Unknown Traffic	192.168.2.5	49765	172.67.155.175	80	TCP
2025-03-24T08:07:37.364352+0100	2803307	3	Unknown Traffic	192.168.2.5	49766	172.67.155.175	80	TCP
2025-03-24T08:07:38.627624+0100	2803307	3	Unknown Traffic	192.168.2.5	49767	104.19.222.79	80	TCP
2025-03-24T08:07:39.915473+0100	2803307	3	Unknown Traffic	192.168.2.5	49771	172.66.40.87	80	TCP
2025-03-24T08:07:41.146724+0100	2803307	3	Unknown Traffic	192.168.2.5	49772	172.66.40.87	80	TCP
2025-03-24T08:07:44.581445+0100	2803307	3	Unknown Traffic	192.168.2.5	49776	172.67.155.175	80	TCP
2025-03-24T08:07:45.833642+0100	2803307	3	Unknown Traffic	192.168.2.5	49778	172.66.40.87	80	TCP
2025-03-24T08:07:49.255647+0100	2803307	3	Unknown Traffic	192.168.2.5	49782	172.66.40.87	80	TCP
2025-03-24T08:07:50.581604+0100	2803307	3	Unknown Traffic	192.168.2.5	49783	172.66.40.87	80	TCP
2025-03-24T08:07:52.953700+0100	2803307	3	Unknown Traffic	192.168.2.5	49787	172.66.40.87	80	TCP
2025-03-24T08:07:55.392947+0100	2803307	3	Unknown Traffic	192.168.2.5	49790	208.80.154.224	80	TCP
2025-03-24T08:07:58.776067+0100	2803307	3	Unknown Traffic	192.168.2.5	49792	157.240.241.35	80	TCP
2025-03-24T08:08:02.368918+0100	2803307	3	Unknown Traffic	192.168.2.5	49797	104.19.222.79	80	TCP
2025-03-24T08:08:03.597535+0100	2803307	3	Unknown Traffic	192.168.2.5	49799	104.19.222.79	80	TCP
2025-03-24T08:08:05.861398+0100	2803307	3	Unknown Traffic	192.168.2.5	49802	172.66.40.87	80	TCP
2025-03-24T08:08:07.093798+0100	2803307	3	Unknown Traffic	192.168.2.5	49803	104.19.222.79	80	TCP
2025-03-24T08:08:08.323435+0100	2803307	3	Unknown Traffic	192.168.2.5	49805	172.66.40.87	80	TCP
2025-03-24T08:08:09.551830+0100	2803307	3	Unknown Traffic	192.168.2.5	49806	172.66.40.87	80	TCP
2025-03-24T08:08:10.877331+0100	2803307	3	Unknown Traffic	192.168.2.5	49808	172.66.40.87	80	TCP
2025-03-24T08:08:14.414208+0100	2803307	3	Unknown Traffic	192.168.2.5	49812	172.66.40.87	80	TCP
2025-03-24T08:08:15.647847+0100	2803307	3	Unknown Traffic	192.168.2.5	49814	172.66.40.87	80	TCP
2025-03-24T08:08:16.900257+0100	2803307	3	Unknown Traffic	192.168.2.5	49815	104.19.222.79	80	TCP
2025-03-24T08:08:18.129930+0100	2803307	3	Unknown Traffic	192.168.2.5	49817	104.19.222.79	80	TCP
2025-03-24T08:08:19.366813+0100	2803307	3	Unknown Traffic	192.168.2.5	49819	172.66.40.87	80	TCP
2025-03-24T08:08:20.729064+0100	2803307	3	Unknown Traffic	192.168.2.5	49820	172.67.155.175	80	TCP
2025-03-24T08:08:24.373354+0100	2803307	3	Unknown Traffic	192.168.2.5	49825	31.13.71.36	80	TCP
2025-03-24T08:08:24.592622+0100	2803307	3	Unknown Traffic	192.168.2.5	49826	172.66.40.87	80	TCP
2025-03-24T08:08:25.816984+0100	2803307	3	Unknown Traffic	192.168.2.5	49827	172.67.155.175	80	TCP
2025-03-24T08:08:28.091312+0100	2803307	3	Unknown Traffic	192.168.2.5	49830	172.66.40.87	80	TCP
2025-03-24T08:08:29.385435+0100	2803307	3	Unknown Traffic	192.168.2.5	49831	172.66.40.87	80	TCP
2025-03-24T08:08:30.618500+0100	2803307	3	Unknown Traffic	192.168.2.5	49833	104.19.222.79	80	TCP
2025-03-24T08:08:31.848597+0100	2803307	3	Unknown Traffic	192.168.2.5	49835	104.19.222.79	80	TCP
2025-03-24T08:08:33.069021+0100	2803307	3	Unknown Traffic	192.168.2.5	49836	172.66.40.87	80	TCP
2025-03-24T08:08:34.373252+0100	2803307	3	Unknown Traffic	192.168.2.5	49837	104.19.222.79	80	TCP
2025-03-24T08:08:36.747699+0100	2803307	3	Unknown Traffic	192.168.2.5	49841	104.19.222.79	80	TCP
2025-03-24T08:08:37.980154+0100	2803307	3	Unknown Traffic	192.168.2.5	49842	172.67.155.175	80	TCP
2025-03-24T08:08:39.207759+0100	2803307	3	Unknown Traffic	192.168.2.5	49844	172.67.155.175	80	TCP

ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:06:53.181094+0100	2803306	3	Unknown Traffic	192.168.2.5	49723	172.66.40.87	80	TCP
2025-03-24T08:06:55.120821+0100	2803306	3	Unknown Traffic	192.168.2.5	49724	104.19.222.79	80	TCP
2025-03-24T08:06:56.461262+0100	2803306	3	Unknown Traffic	192.168.2.5	49727	172.67.155.175	80	TCP
2025-03-24T08:07:00.104468+0100	2803306	3	Unknown Traffic	192.168.2.5	49733	172.66.40.87	80	TCP
2025-03-24T08:07:01.370043+0100	2803306	3	Unknown Traffic	192.168.2.5	49734	104.19.222.79	80	TCP
2025-03-24T08:07:02.600154+0100	2803306	3	Unknown Traffic	192.168.2.5	49735	172.67.155.175	80	TCP
2025-03-24T08:07:03.844825+0100	2803306	3	Unknown Traffic	192.168.2.5	49736	172.67.155.175	80	TCP
2025-03-24T08:07:06.187608+0100	2803306	3	Unknown Traffic	192.168.2.5	49738	104.19.222.79	80	TCP
2025-03-24T08:07:07.470983+0100	2803306	3	Unknown Traffic	192.168.2.5	49739	172.67.155.175	80	TCP
2025-03-24T08:07:11.727102+0100	2803306	3	Unknown Traffic	192.168.2.5	49740	104.19.222.79	80	TCP
2025-03-24T08:07:14.098111+0100	2803306	3	Unknown Traffic	192.168.2.5	49742	104.19.222.79	80	TCP
2025-03-24T08:07:15.497019+0100	2803306	3	Unknown Traffic	192.168.2.5	49743	172.67.155.175	80	TCP
2025-03-24T08:07:18.095660+0100	2803306	3	Unknown Traffic	192.168.2.5	49745	172.66.40.87	80	TCP
2025-03-24T08:07:21.569894+0100	2803306	3	Unknown Traffic	192.168.2.5	49748	172.66.40.87	80	TCP
2025-03-24T08:07:22.882096+0100	2803306	3	Unknown Traffic	192.168.2.5	49749	208.80.154.224	80	TCP
2025-03-24T08:07:26.170625+0100	2803306	3	Unknown Traffic	192.168.2.5	49751	69.147.82.60	80	TCP
2025-03-24T08:07:26.585094+0100	2803306	3	Unknown Traffic	192.168.2.5	49753	208.80.154.224	80	TCP
2025-03-24T08:07:28.391683+0100	2803306	3	Unknown Traffic	192.168.2.5	49754	85.214.228.140	80	TCP
2025-03-24T08:07:29.647490+0100	2803306	3	Unknown Traffic	192.168.2.5	49755	13.213.51.196	80	TCP
2025-03-24T08:07:30.099689+0100	2803306	3	Unknown Traffic	192.168.2.5	49756	142.251.40.105	80	TCP
2025-03-24T08:07:31.761501+0100	2803306	3	Unknown Traffic	192.168.2.5	49759	104.156.155.94	80	TCP
2025-03-24T08:07:33.672380+0100	2803306	3	Unknown Traffic	192.168.2.5	49763	104.19.222.79	80	TCP
2025-03-24T08:07:36.140976+0100	2803306	3	Unknown Traffic	192.168.2.5	49765	172.67.155.175	80	TCP
2025-03-24T08:07:37.364352+0100	2803306	3	Unknown Traffic	192.168.2.5	49766	172.67.155.175	80	TCP
2025-03-24T08:07:38.627624+0100	2803306	3	Unknown Traffic	192.168.2.5	49767	104.19.222.79	80	TCP
2025-03-24T08:07:39.915473+0100	2803306	3	Unknown Traffic	192.168.2.5	49771	172.66.40.87	80	TCP
2025-03-24T08:07:41.146724+0100	2803306	3	Unknown Traffic	192.168.2.5	49772	172.66.40.87	80	TCP
2025-03-24T08:07:44.581445+0100	2803306	3	Unknown Traffic	192.168.2.5	49776	172.67.155.175	80	TCP
2025-03-24T08:07:45.833642+0100	2803306	3	Unknown Traffic	192.168.2.5	49778	172.66.40.87	80	TCP
2025-03-24T08:07:49.255647+0100	2803306	3	Unknown Traffic	192.168.2.5	49782	172.66.40.87	80	TCP
2025-03-24T08:07:50.581604+0100	2803306	3	Unknown Traffic	192.168.2.5	49783	172.66.40.87	80	TCP
2025-03-24T08:07:52.953700+0100	2803306	3	Unknown Traffic	192.168.2.5	49787	172.66.40.87	80	TCP
2025-03-24T08:07:55.392947+0100	2803306	3	Unknown Traffic	192.168.2.5	49790	208.80.154.224	80	TCP
2025-03-24T08:07:58.776067+0100	2803306	3	Unknown Traffic	192.168.2.5	49792	157.240.241.35	80	TCP
2025-03-24T08:08:02.368918+0100	2803306	3	Unknown Traffic	192.168.2.5	49797	104.19.222.79	80	TCP
2025-03-24T08:08:03.597535+0100	2803306	3	Unknown Traffic	192.168.2.5	49799	104.19.222.79	80	TCP
2025-03-24T08:08:05.861398+0100	2803306	3	Unknown Traffic	192.168.2.5	49802	172.66.40.87	80	TCP
2025-03-24T08:08:07.093798+0100	2803306	3	Unknown Traffic	192.168.2.5	49803	104.19.222.79	80	TCP
2025-03-24T08:08:08.323435+0100	2803306	3	Unknown Traffic	192.168.2.5	49805	172.66.40.87	80	TCP
2025-03-24T08:08:09.551830+0100	2803306	3	Unknown Traffic	192.168.2.5	49806	172.66.40.87	80	TCP
2025-03-24T08:08:10.877331+0100	2803306	3	Unknown Traffic	192.168.2.5	49808	172.66.40.87	80	TCP
2025-03-24T08:08:14.414208+0100	2803306	3	Unknown Traffic	192.168.2.5	49812	172.66.40.87	80	TCP
2025-03-24T08:08:15.647847+0100	2803306	3	Unknown Traffic	192.168.2.5	49814	172.66.40.87	80	TCP
2025-03-24T08:08:16.900257+0100	2803306	3	Unknown Traffic	192.168.2.5	49815	104.19.222.79	80	TCP
2025-03-24T08:08:18.129930+0100	2803306	3	Unknown Traffic	192.168.2.5	49817	104.19.222.79	80	TCP
2025-03-24T08:08:19.366813+0100	2803306	3	Unknown Traffic	192.168.2.5	49819	172.66.40.87	80	TCP
2025-03-24T08:08:20.729064+0100	2803306	3	Unknown Traffic	192.168.2.5	49820	172.67.155.175	80	TCP
2025-03-24T08:08:24.373354+0100	2803306	3	Unknown Traffic	192.168.2.5	49825	31.13.71.36	80	TCP
2025-03-24T08:08:24.592622+0100	2803306	3	Unknown Traffic	192.168.2.5	49826	172.66.40.87	80	TCP
2025-03-24T08:08:25.816984+0100	2803306	3	Unknown Traffic	192.168.2.5	49827	172.67.155.175	80	TCP
2025-03-24T08:08:28.091312+0100	2803306	3	Unknown Traffic	192.168.2.5	49830	172.66.40.87	80	TCP
2025-03-24T08:08:29.385435+0100	2803306	3	Unknown Traffic	192.168.2.5	49831	172.66.40.87	80	TCP
2025-03-24T08:08:30.618500+0100	2803306	3	Unknown Traffic	192.168.2.5	49833	104.19.222.79	80	TCP
2025-03-24T08:08:31.848597+0100	2803306	3	Unknown Traffic	192.168.2.5	49835	104.19.222.79	80	TCP
2025-03-24T08:08:33.069021+0100	2803306	3	Unknown Traffic	192.168.2.5	49836	172.66.40.87	80	TCP
2025-03-24T08:08:34.373252+0100	2803306	3	Unknown Traffic	192.168.2.5	49837	104.19.222.79	80	TCP
2025-03-24T08:08:36.747699+0100	2803306	3	Unknown Traffic	192.168.2.5	49841	104.19.222.79	80	TCP
2025-03-24T08:08:37.980154+0100	2803306	3	Unknown Traffic	192.168.2.5	49842	172.67.155.175	80	TCP
2025-03-24T08:08:39.207759+0100	2803306	3	Unknown Traffic	192.168.2.5	49844	172.67.155.175	80	TCP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:07:30.305357+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.5	63809	UDP

ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T08:07:56.377102+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.5	52146	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1 (325).exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aafibwgqhfb.info/	Avira URL Cloud: Label: malware
Source: http://yvryrqqzi.info/	Avira URL Cloud: Label: malware
Source: http://mmiegqks.org/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kcatjhxtoggsqkbyskib.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\qkkfxxpnkeguuqjieyytll.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\oyozhxftgqim.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\wesbhvbnyg.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\oasfphrhwiciao.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mcypdznhaqoyumbwoe.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\wesbhvbnyg\RCXDE31.tmp	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mcypdznhaqoyumbwoe.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Avira: detection malicious, Label: TR/Agent.327680.A
Source: C:\Users\user\AppData\Local\Temp\kcatjhxtoggsqkbyskib.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mcypdznhaqoyumbwoe.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\kcatjhxtoggsqkbyskib.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\qkkfxxpnkeguuqjieyytll.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Avira: detection malicious, Label: TR/Agent.327680.A
Source: C:\Users\user\AppData\Local\Temp\qkkfxxpnkeguuqjieyytll.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\wesbhvbnyg\wesbhvbnyg.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\kcatjhxtoggsqkbyskib.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\mcypdznhaqoyumbwoe.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\qkkfxxpnkeguuqjieyytll.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\wesbhvbnyg\wesbhvbnyg.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\dsndqlyrjyvezqeyp.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\kcatjhxtoggsqkbyskib.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\mcypdznhaqoyumbwoe.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\qkkfxxpnkeguuqjieyytll.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\wketfzlduiemgwjc.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\xoldspeztkjurkawpgd.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\zsrlcbsplefsrmecxqpja.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\dsndqlyrjyvezqeyp.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\qkkfxxpnkeguuqjieyytll.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\wketfzlduiemgwjc.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\xoldspeztkjurkawpgd.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\zsrlcbsplefsrmecxqpja.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: 1 (325).exe	Virustotal: Detection: 91%			Perma Link
Source: 1 (325).exe	ReversingLabs: Detection: 97%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior

Source: 1 (325).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Changes autostart functionality of drives

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun

Source: xcntwhk.exe, 00000003.00000002.2585513534.0000000003FCA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: xcntwhk.exe, 00000003.00000002.2585513534.0000000003FCA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: [AutoRun]
Source: xcntwhk.exe, 00000003.00000002.2585513534.0000000003FCA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: wesbhvbnyg.batwketfzlduiemgwjcsgapbvhzqeaicsfyocwlxrdvmaweyobukyshtnzriwsaukxqguodpjvnesowqgtmcqkzlfrjaoksmcpiymgvhbnfwkgoiyleuicrdxjbxcntwhk.exeC:\autorun.infB
Source: autorun.inf.3.dr	Binary or memory string: [AutoRun]

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_00407850
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	1_2_00401000
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	1_2_00414883
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00408912
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	1_2_00407259
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	1_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	1_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	1_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00406718
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00407850 lstrlenA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	3_2_00407850
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	3_2_00414883
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	3_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00406718 lstrcmpiA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_00406718
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00401000 lstrcatA,lstrcpyA,Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	3_2_00401000
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00408912 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_00408912
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00407259 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	3_2_00407259
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00407D1E lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	3_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	3_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00406718
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00407850
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	4_2_00414883
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00408912
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	4_2_00407259
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	4_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	4_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	4_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	26_2_00407850
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	26_2_00401000
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	26_2_00414883
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	26_2_00408912
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	26_2_00407259
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	26_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	26_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	26_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	26_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	26_2_00406718

Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49735 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49739 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49724 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49748 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49808 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49727 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49778 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49771 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49742 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49766 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49827 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49765 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49776 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49745 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49833 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49783 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49831 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49740 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49743 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49817 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49797 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49763 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49815 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49806 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49772 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49802 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49842 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49723 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49805 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49836 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49814 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49767 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49830 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49841 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49844 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49799 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49819 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49736 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49787 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49826 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49837 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49734 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49820 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49835 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49738 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49803 -> 104.19.222.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49733 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49782 -> 172.66.40.87:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.2.5:49812 -> 172.66.40.87:80

Source: global traffic	TCP traffic: 115.254.99.27 ports 28316,1,2,3,6,8
Source: global traffic	TCP traffic: 94.230.139.179 ports 1,2,25163,3,5,6

Source: global traffic	TCP traffic: 192.168.2.5:49752 -> 46.47.109.74:28528
Source: global traffic	TCP traffic: 192.168.2.5:49762 -> 94.230.139.179:25163
Source: global traffic	TCP traffic: 192.168.2.5:49770 -> 89.25.19.164:16228
Source: global traffic	TCP traffic: 192.168.2.5:49777 -> 46.10.102.240:37243
Source: global traffic	TCP traffic: 192.168.2.5:49785 -> 115.254.99.27:28316
Source: global traffic	TCP traffic: 192.168.2.5:49800 -> 2.133.242.134:30688
Source: global traffic	TCP traffic: 192.168.2.5:49807 -> 94.139.210.10:29131
Source: global traffic	TCP traffic: 192.168.2.5:49832 -> 93.155.166.93:23353
Source: global traffic	TCP traffic: 192.168.2.5:49840 -> 31.29.197.223:37325
Source: global traffic	TCP traffic: 192.168.2.5:49846 -> 114.43.2.252:43823

Source: unknown	DNS query: name: www.whatismyip.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.wikipedia.orgAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.yahoo.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.wikipedia.orgAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: aafibwgqhfb.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: mmiegqks.orgAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.blogger.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yvryrqqzi.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.wikipedia.orgAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.facebook.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.facebook.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 115.254.99.27
Source: unknown	TCP traffic detected without corresponding DNS query: 115.254.99.27
Source: unknown	TCP traffic detected without corresponding DNS query: 115.254.99.27
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 89.25.19.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.133.242.134
Source: unknown	TCP traffic detected without corresponding DNS query: 2.133.242.134
Source: unknown	TCP traffic detected without corresponding DNS query: 2.133.242.134
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.139.179
Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 46.47.109.74
Source: unknown	TCP traffic detected without corresponding DNS query: 93.155.166.93
Source: unknown	TCP traffic detected without corresponding DNS query: 93.155.166.93
Source: unknown	TCP traffic detected without corresponding DNS query: 93.155.166.93
Source: unknown	TCP traffic detected without corresponding DNS query: 31.29.197.223
Source: unknown	TCP traffic detected without corresponding DNS query: 31.29.197.223
Source: unknown	TCP traffic detected without corresponding DNS query: 31.29.197.223
Source: unknown	TCP traffic detected without corresponding DNS query: 114.43.2.252
Source: unknown	TCP traffic detected without corresponding DNS query: 114.43.2.252
Source: unknown	TCP traffic detected without corresponding DNS query: 114.43.2.252
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: xcntwhk.exe, 00000003.00000002.2583580241.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.com equals www.facebook.com (Facebook)
Source: xcntwhk.exe, 00000003.00000002.2585910584.00000000044D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: G$stari.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: xcntwhk.exe, 00000003.00000002.2583580241.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: J8www.showmyipaddress.comwww.facebook.comahoo.comorg equals www.facebook.com (Facebook)
Source: xcntwhk.exe, 00000003.00000002.2585910584.00000000044D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: star-mini.c10r.facebook.comwww.facebook.com\ equals www.facebook.com (Facebook)
Source: xcntwhk.exe, 00000003.00000002.2583580241.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, xcntwhk.exe, 00000003.00000002.2585910584.00000000044D0000.00000004.00000020.00020000.00000000.sdmp, xcntwhk.exe, 00000003.00000002.2583580241.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: vynygujmbmu.exe, vynygujmbmu.exe, 0000001A.00000000.2177574823.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001A.00000002.2179241697.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000002.2245610703.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.facebook.com/ equals www.facebook.com (Facebook)
Source: vynygujmbmu.exe, vynygujmbmu.exe, 0000001A.00000000.2177574823.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001A.00000002.2179241697.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000002.2245610703.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.myspace.com/ equals www.myspace.com (Myspace)
Source: vynygujmbmu.exe, vynygujmbmu.exe, 0000001A.00000000.2177574823.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001A.00000002.2179241697.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000002.2245610703.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: vynygujmbmu.exe, vynygujmbmu.exe, 0000001A.00000000.2177574823.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001A.00000002.2179241697.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000002.2245610703.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.youtube.com/ equals www.youtube.com (Youtube)
Source: xcntwhk.exe, 00000003.00000002.2581138501.000000000019F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/www.wikipedia.org/www.blogger.com/www.adobe.com/www.http://whatismyip.everdot.org/ equals www.youtube.com (Youtube)
Source: vynygujmbmu.exe, 00000001.00000000.1375434027.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000001.00000003.1419657235.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, vynygujmbmu.exe, 00000001.00000002.1451424680.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.facebook.com (Facebook)
Source: vynygujmbmu.exe, 00000001.00000000.1375434027.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000001.00000003.1419657235.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, vynygujmbmu.exe, 00000001.00000002.1451424680.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.myspace.com (Myspace)
Source: vynygujmbmu.exe, 00000001.00000000.1375434027.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000001.00000003.1419657235.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, vynygujmbmu.exe, 00000001.00000002.1451424680.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.yahoo.com (Yahoo)
Source: vynygujmbmu.exe, 00000001.00000000.1375434027.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000001.00000003.1419657235.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, vynygujmbmu.exe, 00000001.00000002.1451424680.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.whatismyip.com
Source: global traffic	DNS traffic detected: DNS query: whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: www.showmyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: whatismyip.everdot.org
Source: global traffic	DNS traffic detected: DNS query: www.whatismyip.ca
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: jnroptvip.org
Source: global traffic	DNS traffic detected: DNS query: rtnugmsf.net
Source: global traffic	DNS traffic detected: DNS query: bcjennta.net
Source: global traffic	DNS traffic detected: DNS query: aafibwgqhfb.info
Source: global traffic	DNS traffic detected: DNS query: mmiegqks.org
Source: global traffic	DNS traffic detected: DNS query: www.blogger.com
Source: global traffic	DNS traffic detected: DNS query: whtqbxdagaj.net
Source: global traffic	DNS traffic detected: DNS query: vsloynlsigp.net
Source: global traffic	DNS traffic detected: DNS query: wemeopdxc.info
Source: global traffic	DNS traffic detected: DNS query: oovqvemcvqs.net
Source: global traffic	DNS traffic detected: DNS query: lwujjelylqeb.net
Source: global traffic	DNS traffic detected: DNS query: sqjqlhvt.net
Source: global traffic	DNS traffic detected: DNS query: aaaysmkeyw.com
Source: global traffic	DNS traffic detected: DNS query: tmjmesq.org
Source: global traffic	DNS traffic detected: DNS query: yvryrqqzi.info
Source: global traffic	DNS traffic detected: DNS query: gghqjwlil.net
Source: global traffic	DNS traffic detected: DNS query: mqagmeasmu.com
Source: global traffic	DNS traffic detected: DNS query: nhofhlbxz.net
Source: global traffic	DNS traffic detected: DNS query: iwstrnj.net
Source: global traffic	DNS traffic detected: DNS query: rvlshofyduz.net
Source: global traffic	DNS traffic detected: DNS query: oufkhyb.net
Source: global traffic	DNS traffic detected: DNS query: zivsrdtudha.info
Source: global traffic	DNS traffic detected: DNS query: icjyrqqzi.info
Source: global traffic	DNS traffic detected: DNS query: nhjeeopsa.info
Source: global traffic	DNS traffic detected: DNS query: vwzqzfrvx.info
Source: global traffic	DNS traffic detected: DNS query: rpkqybmstedh.net
Source: global traffic	DNS traffic detected: DNS query: okdkrwsqk.info
Source: global traffic	DNS traffic detected: DNS query: yuxcfwlwzoh.info
Source: global traffic	DNS traffic detected: DNS query: qrcxqqfmhbpi.net
Source: global traffic	DNS traffic detected: DNS query: wiakayrgn.net
Source: global traffic	DNS traffic detected: DNS query: yejgthv.net
Source: global traffic	DNS traffic detected: DNS query: apeawagqjggt.info
Source: global traffic	DNS traffic detected: DNS query: nhlujxlev.net
Source: global traffic	DNS traffic detected: DNS query: kzryuikb.info
Source: global traffic	DNS traffic detected: DNS query: dzoebuoqr.com
Source: global traffic	DNS traffic detected: DNS query: bevhmyevxhjd.net
Source: global traffic	DNS traffic detected: DNS query: eydohptq.info
Source: global traffic	DNS traffic detected: DNS query: ontfxnwgapp.net
Source: global traffic	DNS traffic detected: DNS query: cuuwcumuqugc.com
Source: global traffic	DNS traffic detected: DNS query: ytdbdtp.net
Source: global traffic	DNS traffic detected: DNS query: mcwggess.org
Source: global traffic	DNS traffic detected: DNS query: iudcvwv.info
Source: global traffic	DNS traffic detected: DNS query: uymeek.org
Source: global traffic	DNS traffic detected: DNS query: petitkjfp.org
Source: global traffic	DNS traffic detected: DNS query: nxlnvx.info
Source: global traffic	DNS traffic detected: DNS query: gfnmpazyj.net
Source: global traffic	DNS traffic detected: DNS query: fgifll.info
Source: global traffic	DNS traffic detected: DNS query: kkgcgaeaqyyq.org
Source: global traffic	DNS traffic detected: DNS query: nrbonstkhi.net
Source: global traffic	DNS traffic detected: DNS query: uizbkifwv.net
Source: global traffic	DNS traffic detected: DNS query: riwquzxmkh.info
Source: global traffic	DNS traffic detected: DNS query: lklwgdvifo.net
Source: global traffic	DNS traffic detected: DNS query: yhtorbdrz.info
Source: global traffic	DNS traffic detected: DNS query: wqwmqwaq.org
Source: global traffic	DNS traffic detected: DNS query: kucwcsua.org
Source: global traffic	DNS traffic detected: DNS query: dakalpcoh.org
Source: global traffic	DNS traffic detected: DNS query: gntkfsh.info
Source: global traffic	DNS traffic detected: DNS query: eakmse.com
Source: global traffic	DNS traffic detected: DNS query: vkduxck.net
Source: global traffic	DNS traffic detected: DNS query: seokqmai.com
Source: global traffic	DNS traffic detected: DNS query: mangrnijbqlm.net
Source: global traffic	DNS traffic detected: DNS query: mbnrqlnhtj.net
Source: global traffic	DNS traffic detected: DNS query: nwtxruegv.com
Source: global traffic	DNS traffic detected: DNS query: nocatspaqoz.net
Source: global traffic	DNS traffic detected: DNS query: cpnhts.net
Source: global traffic	DNS traffic detected: DNS query: xuzkjuzmp.org
Source: global traffic	DNS traffic detected: DNS query: lryrdc.net
Source: global traffic	DNS traffic detected: DNS query: kajtaiwnrz.info
Source: global traffic	DNS traffic detected: DNS query: rubgfefczwd.info
Source: global traffic	DNS traffic detected: DNS query: rswwesrbw.net
Source: global traffic	DNS traffic detected: DNS query: kdrfdwbausqx.net
Source: global traffic	DNS traffic detected: DNS query: tpaxnhb.org
Source: global traffic	DNS traffic detected: DNS query: hlhycyzex.org
Source: global traffic	DNS traffic detected: DNS query: zbamqqiwohsw.info
Source: global traffic	DNS traffic detected: DNS query: ngntxewars.info
Source: global traffic	DNS traffic detected: DNS query: qqbsrfrqwve.info
Source: global traffic	DNS traffic detected: DNS query: uqgqamoskwoi.com
Source: global traffic	DNS traffic detected: DNS query: yazklabmp.net
Source: global traffic	DNS traffic detected: DNS query: atdxhkxfoal.net
Source: global traffic	DNS traffic detected: DNS query: cgamoc.com
Source: global traffic	DNS traffic detected: DNS query: hhftdocw.net
Source: global traffic	DNS traffic detected: DNS query: akpcfib.net
Source: global traffic	DNS traffic detected: DNS query: imegyq.com
Source: global traffic	DNS traffic detected: DNS query: iuwicmqqsi.com
Source: global traffic	DNS traffic detected: DNS query: gowsogp.net
Source: global traffic	DNS traffic detected: DNS query: gsbfmcjyr.info
Source: global traffic	DNS traffic detected: DNS query: dinylex.com
Source: global traffic	DNS traffic detected: DNS query: bcvragh.org
Source: global traffic	DNS traffic detected: DNS query: uxntkalnjv.info
Source: global traffic	DNS traffic detected: DNS query: pzlixytwvd.net
Source: global traffic	DNS traffic detected: DNS query: ekcpzkarddqq.info
Source: global traffic	DNS traffic detected: DNS query: hygdqw.info
Source: global traffic	DNS traffic detected: DNS query: ajmsxuakp.net

Source: vynygujmbmu.exe.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: vynygujmbmu.exe, vynygujmbmu.exe, 0000001A.00000000.2177574823.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001A.00000002.2179241697.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000002.2245610703.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001B.00000000.2200223618.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001C.00000000.2243271037.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001C.00000002.2245070403.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001E.00000002.2300360035.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001E.00000000.2263349442.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001F.00000000.2288045019.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 0000001F.00000002.2289772355.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000020.00000002.2314759609.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000020.00000000.2306590379.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000022.00000002.2388537604.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000022.00000000.2348591618.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000023.00000000.2382581254.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000023.00000002.2383820507.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000024.00000002.2463442216.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000024.00000000.2411577348.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000026.00000000.2450267737.000000000042A000.00000002.00000001.01000000.00000006.sdmp, vynygujmbmu.exe, 00000026.00000002.2453253625.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: xcntwhk.exe, 00000003.00000002.2581138501.000000000019F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.everdot.org/
Source: xcntwhk.exe, 00000003.00000002.2581138501.0000000000191000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.showmyipaddress.com/

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	1_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041394A WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,	26_2_0041394A

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	1_2_0041EDCD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	3_2_0041EDCD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	4_2_0041EDCD

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	1_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	1_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00413DD8 ExitWindowsEx,	1_2_00413DD8
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	3_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	3_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00413DD8 ExitWindowsEx,	3_2_00413DD8
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	4_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	4_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00413DD8 ExitWindowsEx,	4_2_00413DD8

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\wketfzlduiemgwjc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\dsndqlyrjyvezqeyp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\mcypdznhaqoyumbwoe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\xoldspeztkjurkawpgd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\kcatjhxtoggsqkbyskib.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\zsrlcbsplefsrmecxqpja.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\qkkfxxpnkeguuqjieyytll.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\wketfzlduiemgwjc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\dsndqlyrjyvezqeyp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\mcypdznhaqoyumbwoe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\xoldspeztkjurkawpgd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\kcatjhxtoggsqkbyskib.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\zsrlcbsplefsrmecxqpja.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\qkkfxxpnkeguuqjieyytll.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Windows\SysWOW64\qsaddllrwyiemqrycemppxxdik.qyc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Windows\qsaddllrwyiemqrycemppxxdik.qyc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Windows\SysWOW64\rexlwparhupwpeqixkdrcvgxnavcvkwodqjxi.mdt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Windows\rexlwparhupwpeqixkdrcvgxnavcvkwodqjxi.mdt	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040C7E0	1_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0042797B	1_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041A936	1_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041B3CF	1_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_004223D8	1_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041B477	1_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040F488	1_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0042874A	1_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040F488	3_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040C7E0	3_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0042797B	3_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041A936	3_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041B3CF	3_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_004223D8	3_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041B477	3_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0042874A	3_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040C7E0	4_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0042797B	4_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041A936	4_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041B3CF	4_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_004223D8	4_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041B477	4_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040F488	4_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0042874A	4_2_0042874A
Source: C:\Windows\wketfzlduiemgwjc.exe	Code function: 8_2_00406235	8_2_00406235
Source: C:\Windows\wketfzlduiemgwjc.exe	Code function: 8_2_00404FA8	8_2_00404FA8
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0042797B	26_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041A936	26_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041B3CF	26_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_004223D8	26_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041B477	26_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040F488	26_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0042874A	26_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040C7E0	26_2_0040C7E0

Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 0041D048 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 00410BF4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 0042203E appears 58 times
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 00421DB0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 00421DF0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: String function: 00413761 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 0041D048 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 00410BF4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 0042203E appears 58 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 00421DB0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 00421DF0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: String function: 00413761 appears 89 times

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	1_2_00413D4D
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	3_2_00413D4D
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	4_2_00413D4D

Source: C:\Users\user\Desktop\1 (325).exe	Mutant created: \Sessions\1\BaseNamedObjects\ewaaxaewaaxaewaaxaewaaxaew
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Mutant created: \Sessions\1\BaseNamedObjects\jefbuvonlgjyzwqqnijfyzs
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Mutant created: \Sessions\1\BaseNamedObjects\zsrlcbsplefsrmecxqpja
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Mutant created: \Sessions\1\BaseNamedObjects\qkkfxxpnkeguuqjieyytll

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1 (325).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
1 (325).exe

Source: unknown	Process created: C:\Users\user\Desktop\1 (325).exe "C:\Users\user\Desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe*"
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process created: C:\Users\user\AppData\Local\Temp\xcntwhk.exe "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe"
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process created: C:\Users\user\AppData\Local\Temp\xcntwhk.exe "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe"
Source: unknown	Process created: C:\Windows\wketfzlduiemgwjc.exe "C:\Windows\wketfzlduiemgwjc.exe" .
Source: C:\Windows\wketfzlduiemgwjc.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\wketfzlduiemgwjc.exe*."
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe "C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe" .
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\zsrlcbsplefsrmecxqpja.exe*."
Source: unknown	Process created: C:\Windows\kcatjhxtoggsqkbyskib.exe "C:\Windows\kcatjhxtoggsqkbyskib.exe" .
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\kcatjhxtoggsqkbyskib.exe*."
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe "C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe" .
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\xoldspeztkjurkawpgd.exe*."
Source: unknown	Process created: C:\Windows\zsrlcbsplefsrmecxqpja.exe "C:\Windows\zsrlcbsplefsrmecxqpja.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe "C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe"
Source: unknown	Process created: C:\Windows\xoldspeztkjurkawpgd.exe "C:\Windows\xoldspeztkjurkawpgd.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe "C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: unknown	Process created: C:\Windows\mcypdznhaqoyumbwoe.exe "C:\Windows\mcypdznhaqoyumbwoe.exe" .
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\mcypdznhaqoyumbwoe.exe*."
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe "C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe" .
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\dsndqlyrjyvezqeyp.exe*."
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: unknown	Process created: C:\Windows\zsrlcbsplefsrmecxqpja.exe "C:\Windows\zsrlcbsplefsrmecxqpja.exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe "C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe*"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\desktop\1 (325).exe"	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process created: C:\Users\user\AppData\Local\Temp\xcntwhk.exe "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process created: C:\Users\user\AppData\Local\Temp\xcntwhk.exe "C:\Users\user\AppData\Local\Temp\xcntwhk.exe" "-C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe"	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\wketfzlduiemgwjc.exe*."	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\zsrlcbsplefsrmecxqpja.exe*."	Jump to behavior
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\kcatjhxtoggsqkbyskib.exe*."
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\xoldspeztkjurkawpgd.exe*."
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\windows\mcypdznhaqoyumbwoe.exe*."
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe "C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe" "c:\users\user\appdata\local\temp\dsndqlyrjyvezqeyp.exe*."

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_004223C7 push ecx; ret	1_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00421DF0 push eax; ret	1_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00421DF0 push eax; ret	1_2_00421E2C
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_004223C7 push ecx; ret	3_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00421DF0 push eax; ret	3_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00421DF0 push eax; ret	3_2_00421E2C
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_004223C7 push ecx; ret	4_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00421DF0 push eax; ret	4_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00421DF0 push eax; ret	4_2_00421E2C
Source: C:\Windows\wketfzlduiemgwjc.exe	Code function: 8_2_004050C0 push eax; ret	8_2_004050D4
Source: C:\Windows\wketfzlduiemgwjc.exe	Code function: 8_2_004050C0 push eax; ret	8_2_004050FC
Source: C:\Windows\wketfzlduiemgwjc.exe	Code function: 8_2_00404F97 push ecx; ret	8_2_00404FA7
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_004223C7 push ecx; ret	26_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00421DF0 push eax; ret	26_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00421DF0 push eax; ret	26_2_00421E2C

Source: unknown	Executable created and started: C:\Windows\kcatjhxtoggsqkbyskib.exe
Source: unknown	Executable created and started: C:\Windows\xoldspeztkjurkawpgd.exe
Source: unknown	Executable created and started: C:\Windows\wketfzlduiemgwjc.exe
Source: unknown	Executable created and started: C:\Windows\zsrlcbsplefsrmecxqpja.exe
Source: unknown	Executable created and started: C:\Windows\mcypdznhaqoyumbwoe.exe

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\kcatjhxtoggsqkbyskib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\qkkfxxpnkeguuqjieyytll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Users\user\AppData\Local\Temp\wesbhvbnyg\wesbhvbnyg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\kcatjhxtoggsqkbyskib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\kcatjhxtoggsqkbyskib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\xoldspeztkjurkawpgd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\wketfzlduiemgwjc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\mcypdznhaqoyumbwoe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\xoldspeztkjurkawpgd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1 (325).exe	File created: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\Users\user\AppData\Local\Temp\wesbhvbnyg\RCXDE31.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\wketfzlduiemgwjc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\zsrlcbsplefsrmecxqpja.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\dsndqlyrjyvezqeyp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\zsrlcbsplefsrmecxqpja.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\oyozhxftgqim.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\wesbhvbnyg.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\mcypdznhaqoyumbwoe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\dsndqlyrjyvezqeyp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\mcypdznhaqoyumbwoe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\SysWOW64\qkkfxxpnkeguuqjieyytll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	File created: C:\oasfphrhwiciao.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	File created: C:\Windows\qkkfxxpnkeguuqjieyytll.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wketfzlduiemgwjc
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce nypbkbkznyrwn
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run oyozhxftgqim
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rexlwparhupwpeq

Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1 (325).exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\kcatjhxtoggsqkbyskib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\wketfzlduiemgwjc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\xoldspeztkjurkawpgd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mcypdznhaqoyumbwoe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\zsrlcbsplefsrmecxqpja.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dsndqlyrjyvezqeyp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040604A	1_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0042185B	1_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040683C	1_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040C15D	1_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041C19E	1_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_004202CD	1_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00420B22	1_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0041F6DA	1_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_0040E690	1_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00405F6F	1_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 1_2_00412FDD	1_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040683C	3_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040C15D	3_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041C19E	3_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00405F6F	3_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00412FDD	3_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040604A	3_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0042185B	3_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_004202CD	3_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_00420B22	3_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0041F6DA	3_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 3_2_0040E690	3_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040604A	4_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0042185B	4_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040683C	4_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040C15D	4_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041C19E	4_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_004202CD	4_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00420B22	4_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0041F6DA	4_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_0040E690	4_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00405F6F	4_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: 4_2_00412FDD	4_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040604A	26_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0042185B	26_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040683C	26_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040C15D	26_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041C19E	26_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_004202CD	26_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00420B22	26_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0041F6DA	26_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_0040E690	26_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00405F6F	26_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: 26_2_00412FDD	26_2_00412FDD

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_1-29605
Source: C:\Windows\wketfzlduiemgwjc.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: GetCursorPos,Sleep,	1_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetCursorPos,Sleep,	3_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetCursorPos,Sleep,	4_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: GetCursorPos,Sleep,	26_2_0040C431

Source: C:\Users\user\AppData\Local\Temp\vynygujmbmu.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	1_2_00416896
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	3_2_00416896
Source: C:\Users\user\AppData\Local\Temp\xcntwhk.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	4_2_00416896