Loading ...

Play interactive tourEdit tour

Analysis Report 8zwECUx69c

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:187825
Start date:06.11.2019
Start time:10:51:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:8zwECUx69c (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.troj.evad.winEXE@297/38@254/15
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 98.1% (good quality ratio 97.8%)
  • Quality average: 85.6%
  • Quality standard deviation: 19.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, VSSVC.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): 224.2.168.192.in-addr.arpa, 164.2.168.192.in-addr.arpa, 155.2.168.192.in-addr.arpa, 53.2.168.192.in-addr.arpa, 215.2.168.192.in-addr.arpa, 35.2.168.192.in-addr.arpa, 189.2.168.192.in-addr.arpa, 9.2.168.192.in-addr.arpa, 233.2.168.192.in-addr.arpa, 105.2.168.192.in-addr.arpa, 62.2.168.192.in-addr.arpa, 249.2.168.192.in-addr.arpa, 26.2.168.192.in-addr.arpa, 2.2.168.192.in-addr.arpa, 139.2.168.192.in-addr.arpa, 180.2.168.192.in-addr.arpa, 19.2.168.192.in-addr.arpa, 112.2.168.192.in-addr.arpa, 130.2.168.192.in-addr.arpa, 80.2.168.192.in-addr.arpa, 96.2.168.192.in-addr.arpa, 208.2.168.192.in-addr.arpa, 146.2.168.192.in-addr.arpa, 173.2.168.192.in-addr.arpa, 69.2.168.192.in-addr.arpa, 196.2.168.192.in-addr.arpa, 242.2.168.192.in-addr.arpa, 123.2.168.192.in-addr.arpa, 162.2.168.192.in-addr.arpa, 141.2.168.192.in-addr.arpa, 201.2.168.192.in-addr.arpa, 187.2.168.192.in-addr.arpa, 238.2.168.192.in-addr.arpa, 55.2.168.192.in-addr.arpa, 60.2.168.192.in-addr.arpa, 153.2.168.192.in-addr.arpa, 191.2.168.192.in-addr.arpa, 28.2.168.192.in-addr.arpa, 226.2.168.192.in-addr.arpa, 103.2.168.192.in-addr.arpa, 247.2.168.192.in-addr.arpa, 4.2.168.192.in-addr.arpa, 137.2.168.192.in-addr.arpa, 10.2.168.192.in-addr.arpa, 114.2.168.192.in-addr.arpa, 251.2.168.192.in-addr.arpa, 17.2.168.192.in-addr.arpa, 33.2.168.192.in-addr.arpa, 78.2.168.192.in-addr.arpa, 94.2.168.192.in-addr.arpa, 71.2.168.192.in-addr.arpa, 213.2.168.192.in-addr.arpa, 21.2.168.192.in-addr.arpa, 148.2.168.192.in-addr.arpa, 175.2.168.192.in-addr.arpa, 125.2.168.192.in-addr.arpa, 240.2.168.192.in-addr.arpa, 44.2.168.192.in-addr.arpa, 67.2.168.192.in-addr.arpa, 82.2.168.192.in-addr.arpa, 198.2.168.192.in-addr.arpa, 219.2.168.192.in-addr.arpa, 91.2.168.192.in-addr.arpa, 159.2.168.192.in-addr.arpa, 32.2.168.192.in-addr.arpa, 236.2.168.192.in-addr.arpa, 185.2.168.192.in-addr.arpa, 74.2.168.192.in-addr.arpa, 39.2.168.192.in-addr.arpa, 254.2.168.192.in-addr.arpa, 168.2.168.192.in-addr.arpa, 212.2.168.192.in-addr.arpa, 83.2.168.192.in-addr.arpa, 89.2.168.192.in-addr.arpa, 109.2.168.192.in-addr.arpa, 41.2.168.192.in-addr.arpa, 228.2.168.192.in-addr.arpa, 245.2.168.192.in-addr.arpa, 100.2.168.192.in-addr.arpa, 50.2.168.192.in-addr.arpa, 116.2.168.192.in-addr.arpa, 142.2.168.192.in-addr.arpa, 177.2.168.192.in-addr.arpa, 204.2.168.192.in-addr.arpa, 161.2.168.192.in-addr.arpa, 230.2.168.192.in-addr.arpa, 135.2.168.192.in-addr.arpa, 57.2.168.192.in-addr.arpa, 127.2.168.192.in-addr.arpa, 15.2.168.192.in-addr.arpa, 192.2.168.192.in-addr.arpa, 150.2.168.192.in-addr.arpa, 6.2.168.192.in-addr.arpa, 46.2.168.192.in-addr.arpa, 65.2.168.192.in-addr.arpa, 183.2.168.192.in-addr.arpa, 243.2.168.192.in-addr.arpa, 30.2.168.192.in-addr.arpa, 157.2.168.192.in-addr.arpa, 217.2.168.192.in-addr.arpa, 37.2.168.192.in-addr.arpa, 111.2.168.192.in-addr.arpa, 76.2.168.192.in-addr.arpa, 107.2.168.192.in-addr.arpa, 166.2.168.192.in-addr.arpa, 170.2.168.192.in-addr.arpa, 210.2.168.192.in-addr.arpa, 85.2.168.192.in-addr.arpa, 120.2.168.192.in-addr.arpa, 24.2.168.192.in-addr.arpa, 87.2.168.192.in-addr.arpa, 118.2.168.192.in-addr.arpa, 179.2.168.192.in-addr.arpa, 221.2.168.192.in-addr.arpa, 52.2.168.192.in-addr.arpa, 59.2.168.192.in-addr.arpa, 133.2.168.192.in-addr.arpa, 194.2.168.192.in-addr.arpa, 232.2.168.192.in-addr.arpa, 13.2.168.192.in-addr.arpa, 98.2.168.192.in-addr.arpa, 129.2.168.192.in-addr.arpa, 144.2.168.192.in-addr.arpa, 206.2.168.192.in-addr.arpa, 8.2.168.192.in-addr.arpa, 48.2.168.192.in-addr.arpa, 63.2.168.192.in-addr.arpa, 70.2.168.192.in-addr.arpa, 86.2.168.192.in-addr.arpa, 181.2.168.192.in-addr.arpa, 138.2.168.192.in-addr.arpa, 1.2.168.192.in-addr.arpa, 11.2.168.192.in-addr.arpa, 250.2.168.192.in-addr.arpa, 18.2.168.192.in-addr.arpa, 113.2.168.192.in-addr.arpa, 20.2.168.192.in-addr.arpa, 95.2.168.192.in-addr.arpa, 207.2.168.192.in-addr.arpa, 147.2.168.192.in-addr.arpa, 172.2.168.192.in-addr.arpa, 68.2.168.192.in-addr.arpa, 241.2.168.192.in-addr.arpa, 122.2.168.192.in-addr.arpa, 197.2.168.192.in-addr.arpa, 223.2.168.192.in-addr.arpa, 45.2.168.192.in-addr.arpa, 200.2.168.192.in-addr.arpa, 165.2.168.192.in-addr.arpa, 216.2.168.192.in-addr.arpa, 54.2.168.192.in-addr.arpa, 239.2.168.192.in-addr.arpa, 131.2.168.192.in-addr.arpa, 77.2.168.192.in-addr.arpa, 188.2.168.192.in-addr.arpa, 234.2.168.192.in-addr.arpa, 34.2.168.192.in-addr.arpa, 154.2.168.192.in-addr.arpa, 27.2.168.192.in-addr.arpa, 61.2.168.192.in-addr.arpa, 104.2.168.192.in-addr.arpa, 199.2.168.192.in-addr.arpa, 3.2.168.192.in-addr.arpa, 136.2.168.192.in-addr.arpa, 79.2.168.192.in-addr.arpa, 93.2.168.192.in-addr.arpa, 115.2.168.192.in-addr.arpa, 252.2.168.192.in-addr.arpa, 72.2.168.192.in-addr.arpa, 209.2.168.192.in-addr.arpa, 16.2.168.192.in-addr.arpa, 174.2.168.192.in-addr.arpa, 214.2.168.192.in-addr.arpa, 149.2.168.192.in-addr.arpa, 124.2.168.192.in-addr.arpa, 22.2.168.192.in-addr.arpa, 43.2.168.192.in-addr.arpa, 81.2.168.192.in-addr.arpa, 163.2.168.192.in-addr.arpa, 202.2.168.192.in-addr.arpa, 237.2.168.192.in-addr.arpa, 186.2.168.192.in-addr.arpa, 152.2.168.192.in-addr.arpa, 190.2.168.192.in-addr.arpa, 225.2.168.192.in-addr.arpa, 102.2.168.192.in-addr.arpa, 140.2.168.192.in-addr.arpa, 29.2.168.192.in-addr.arpa, 248.2.168.192.in-addr.arpa, 117.2.168.192.in-addr.arpa, 23.2.168.192.in-addr.arpa, 143.2.168.192.in-addr.arpa, 160.2.168.192.in-addr.arpa, 203.2.168.192.in-addr.arpa, 134.2.168.192.in-addr.arpa, 110.2.168.192.in-addr.arpa, 56.2.168.192.in-addr.arpa, 14.2.168.192.in-addr.arpa, 151.2.168.192.in-addr.arpa, 126.2.168.192.in-addr.arpa, 193.2.168.192.in-addr.arpa, 99.2.168.192.in-addr.arpa, 220.2.168.192.in-addr.arpa, 176.2.168.192.in-addr.arpa, 47.2.168.192.in-addr.arpa, 101.2.168.192.in-addr.arpa, 66.2.168.192.in-addr.arpa, 158.2.168.192.in-addr.arpa, 184.2.168.192.in-addr.arpa, 38.2.168.192.in-addr.arpa, 73.2.168.192.in-addr.arpa, 31.2.168.192.in-addr.arpa, 92.2.168.192.in-addr.arpa, 235.2.168.192.in-addr.arpa, 253.2.168.192.in-addr.arpa, 169.2.168.192.in-addr.arpa, 211.2.168.192.in-addr.arpa, 42.2.168.192.in-addr.arpa, 84.2.168.192.in-addr.arpa, 227.2.168.192.in-addr.arpa, 108.2.168.192.in-addr.arpa, 246.2.168.192.in-addr.arpa, 25.2.168.192.in-addr.arpa, 178.2.168.192.in-addr.arpa, 88.2.168.192.in-addr.arpa, 222.2.168.192.in-addr.arpa, 205.2.168.192.in-addr.arpa, 119.2.168.192.in-addr.arpa, 231.2.168.192.in-addr.arpa, 51.2.168.192.in-addr.arpa, 58.2.168.192.in-addr.arpa, 255.2.168.192.in-addr.arpa, 97.2.168.192.in-addr.arpa, 128.2.168.192.in-addr.arpa, 132.2.168.192.in-addr.arpa, 12.2.168.192.in-addr.arpa, 145.2.168.192.in-addr.arpa, 195.2.168.192.in-addr.arpa, 7.2.168.192.in-addr.arpa, 49.2.168.192.in-addr.arpa, 64.2.168.192.in-addr.arpa, 121.2.168.192.in-addr.arpa, 90.2.168.192.in-addr.arpa, 182.2.168.192.in-addr.arpa, 244.2.168.192.in-addr.arpa, 218.2.168.192.in-addr.arpa, 156.2.168.192.in-addr.arpa, 36.2.168.192.in-addr.arpa, 75.2.168.192.in-addr.arpa, 106.2.168.192.in-addr.arpa, 229.2.168.192.in-addr.arpa, 40.2.168.192.in-addr.arpa, 167.2.168.192.in-addr.arpa, 171.2.168.192.in-addr.arpa
  • Execution Graph export aborted for target HNPEYF~1:bin, PID 4784 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Bitpaymer
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsService Execution2Modify Existing Service21Process Injection1Masquerading121Input Capture21Query Registry1Taint Shared Content1Input Capture21Data Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionNew Service12New Service12Software Packing2Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureSecurity Software Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion21Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\jiddGkrBJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 8zwECUx69c.exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeVirustotal: Detection: 62%Perma Link
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binVirustotal: Detection: 62%Perma Link
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binVirustotal: Detection: 62%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: 8zwECUx69c.exeVirustotal: Detection: 62%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040C4E3 CryptDecodeObject,CryptImportPublicKeyInfo,0_2_0040C4E3

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Enumerates the file systemShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C

Networking:

barindex
Performs many domain queries via nslookupShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.16
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.16
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 8.8.8.8.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://s.symcd.com06
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: https://d.symcb.com/cps0%
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: https://d.symcb.com/rpa0
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.drString found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: HNPEYF~1:bin, 00000002.00000002.1754203265.0000000002740000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: armsvc.exe, 00000006.00000003.2005336705.00000000035A2000.00000004.00000001.sdmpBinary or memory string: !F_WinAPI_RegisterRawInputDevices.au3?

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected BitpaymerShow sources
Source: Yara matchFile source: Process Memory Space: 8zwECUx69c.exe PID: 3848, type: MEMORY
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: HNPEYF~1:bin, 00000002.00000003.1748871672.0000000002763000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_I
Source: vssadmin.exe, 00000003.00000002.1751831198.0000014D7B4D0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000003.00000002.1751831198.0000014D7B4D0000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000003.00000002.1751806760.0000014D7B490000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000003.00000002.1751806760.0000014D7B490000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000003.00000002.1751806760.0000014D7B490000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000003.00000002.1751806760.0000014D7B490000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000003.00000002.1751806760.0000014D7B490000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000003.00000002.1752145078.0000014D7B895000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exeDeleteShadows/All/Quiet
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 212
Source: nslookup.exeProcess created: 42

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1746366247.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.8zwECUx69c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Source: 0.2.8zwECUx69c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Dridex v4 encrypt/decrypt function Author: kev
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040D21E NtClose,0_2_0040D21E
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_004026CB CreateProcessW,NtClose,0_2_004026CB
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040D3BF NtClose,0_2_0040D3BF
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binFile created: C:\Windows\TEMP\Ve8DA9.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2956:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binMutant created: \Sessions\1\BaseNamedObjects\Global\{4776E382-B4C5-66CE-33E1-C15BCF56522E}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_01
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binMutant created: \Sessions\1\BaseNamedObjects\{{35778CD-D-D8-93-8-2F9--728B-B673868}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binFile deleted: C:\Windows\Temp\Ve8DA9.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_00401A490_2_00401A49
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040428D0_2_0040428D
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040BD8E0_2_0040BD8E
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe:0 E5892B346904C7A392A0B1C8F4C9066BC535A2C70307123C8E1F2157353333F0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\HNPEYF~1:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\jiddGkrB:bin BD327754F879FF15B48FC86C741C4F546B9BBAE5C1A5AC4C095DF05DF696EC4F
PE file contains strange resourcesShow sources
Source: armsvc.exe_0.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 8zwECUx69c.exe, 00000000.00000002.1747321232.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsader15.dllb! vs 8zwECUx69c.exe
Source: 8zwECUx69c.exeBinary or memory string: OriginalFilenamemsader15.dllb! vs 8zwECUx69c.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeFile read: C:\Users\user\Desktop\8zwECUx69c.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 8zwECUx69c.exe, type: SAMPLEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 00000000.00000002.1746366247.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: C:\Users\user\AppData\Roaming\jiddGkrB, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: C:\Users\user\AppData\Roaming\HNPEYF~1, type: DROPPEDMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 0.2.8zwECUx69c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 0.2.8zwECUx69c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DridexV4 author = kev, description = Dridex v4 encrypt/decrypt function, cape_type = Dridex v4 Payload
Source: 0.0.8zwECUx69c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 2.0.HNPEYF~1:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Source: 8.0.jiddGkrB:bin.400000.0.unpack, type: UNPACKEDPEMatched rule: BitPaymer author = Morphisec labs, description = Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom packer, refrence = http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Binary contains paths to development resourcesShow sources
Source: armsvc.exe, 00000006.00000002.2170775052.0000000002E90000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@297/38@254/15
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8
Creates files inside the program directoryShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe:0Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeFile created: C:\Users\user\AppData\Roaming\hNpEYfkZGJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile created: C:\Users\user\AppData\Local\Temp\uT8174.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 8zwECUx69c.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 8zwECUx69c.exeVirustotal: Detection: 62%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\8zwECUx69c.exe 'C:\Users\user\Desktop\8zwECUx69c.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\Desktop\8ZWECU~1.EXE
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\jiddGkrB:bin C:\Users\user\AppData\Roaming\jiddGkrB:bin
Source: unknownProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -a
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.16
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess created: C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\Desktop\8ZWECU~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess created: C:\Users\user\AppData\Roaming\jiddGkrB:bin C:\Users\user\AppData\Roaming\jiddGkrB:binJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: 8zwECUx69c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\armsvc.pdb A source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.dr
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HNPEYF~1:bin, 00000002.00000003.1752655662.00000000042C2000.00000004.00000001.sdmp, armsvc.exe_0.2.dr
Source: Binary string: 04QuURX.pdb source: 8zwECUx69c.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeUnpacked PE file: 0.2.8zwECUx69c.exe.400000.0.unpack .text:ER;.data0:R;.data:W;.qdata:W;.code:W;.CRT:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.bss:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeUnpacked PE file: 0.2.8zwECUx69c.exe.400000.0.unpack
PE file contains sections with non-standard namesShow sources
Source: 8zwECUx69c.exeStatic PE information: section name: .data0
Source: 8zwECUx69c.exeStatic PE information: section name: .qdata
Source: 8zwECUx69c.exeStatic PE information: section name: .code
Source: HNPEYF~1_bin.0.drStatic PE information: section name: .data0
Source: HNPEYF~1_bin.0.drStatic PE information: section name: .qdata
Source: HNPEYF~1_bin.0.drStatic PE information: section name: .code
Source: armsvc.exe.2.drStatic PE information: section name: .data0
Source: armsvc.exe.2.drStatic PE information: section name: .qdata
Source: armsvc.exe.2.drStatic PE information: section name: .code
Source: jiddGkrB_bin.6.drStatic PE information: section name: .data0
Source: jiddGkrB_bin.6.drStatic PE information: section name: .qdata
Source: jiddGkrB_bin.6.drStatic PE information: section name: .code

Persistence and Installation Behavior:

barindex
Drops executable to a common third party application directoryShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeFile created: C:\Users\user\AppData\Roaming\HNPEYF~1:binJump to dropped file
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe:0Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Users\user\AppData\Roaming\jiddGkrB:binJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe:0Jump to dropped file

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sppsvcJump to behavior
Modifies existing windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sppsvcJump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040CEE8 StartServiceCtrlDispatcherW,0_2_0040CEE8

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeFile created: C:\Users\user\AppData\Roaming\HNPEYF~1:binJump to behavior
Deletes itself after installationShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binFile deleted: c:\users\user\desktop\8zwecux69c.exeJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\AdobeJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroAppJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\EslJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReaderJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENUJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DCJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe:0Jump to dropped file
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-9380
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040EA3C FindFirstFileExW,0_2_0040EA3C
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_0040727A GetSystemInfo,0_2_0040727A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: HNPEYF~1:bin, 00000002.00000003.1752887390.0000000004266000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange ServiceUB0
Source: HNPEYF~1:bin, 00000002.00000003.1752887390.0000000004266000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
Source: HNPEYF~1:bin, 00000002.00000003.1752887390.0000000004266000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
Source: HNPEYF~1:bin, 00000002.00000003.1752887390.0000000004266000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization ServiceTC1
Source: HNPEYF~1:bin, 00000002.00000003.1752887390.0000000004266000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface&B
Source: ARP.EXE, 00000009.00000002.1761196645.0000018D87730000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program exit pointsShow sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeAPI call chain: ExitProcess graph end nodegraph_0-9663
Queries a list of all running processesShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeCode function: 0_2_00407DEC LdrLoadDll,0_2_00407DEC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\8zwECUx69c.exeProcess created: C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\AppData\Roaming\HNPEYF~1:bin C:\Users\user\Desktop\8ZWECU~1.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\HNPEYF~1:binProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.3Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.8Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.9Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.11Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.14Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.15Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\ARP.EXE C:\Windows\system32\\arp.exe -aJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.13Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.12Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.6Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.2Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.1Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.10Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: C:\Windows\System32\nslookup.exe C:\Windows\system32\\nslookup.exe 192.168.2.7Jump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\jiddGkrB:binProcess created: unknown unknown