Play interactive tour

Edit tour

Analysis Report mYh6vuKw7H.exe

Overview

General Information

Sample Name:	mYh6vuKw7H.exe
Analysis ID:	397625
MD5:	95a3b26416f41375ef06106fb58a3764
SHA1:	952f57980d5105d94bc2e0ae389f0cc7e44ae27d
SHA256:	f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
Tags:	exeRATXpertRAT
Infos:
Most interesting Screenshot:

Detection

XpertRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Generic Dropper

Yara detected XpertRAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Disables user account control notifications

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential browser exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

mYh6vuKw7H.exe (PID: 5728 cmdline: 'C:\Users\user\Desktop\mYh6vuKw7H.exe' MD5: 95A3B26416F41375EF06106FB58A3764)

mYh6vuKw7H.exe (PID: 4792 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)

iexplore.exe (PID: 4856 cmdline: C:\Users\user\Desktop\mYh6vuKw7H.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

WerFault.exe (PID: 2024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

iexplore.exe (PID: 1200 cmdline: C:\Users\user\Desktop\mYh6vuKw7H.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 4456 cmdline: 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe' MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 6024 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 6028 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 1740 cmdline: 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe' MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 4752 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 5852 cmdline: 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe' MD5: 95A3B26416F41375EF06106FB58A3764)

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe (PID: 4900 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)

cleanup

Malware Configuration

Threatname: XpertRAT

{"C2 list": ["kapasky-antivirus.firewall-gateway.net:2054", "kapasky-antivirus.firewall-gateway.net:4000"], "Mutex": "U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7", "Group": "XXX", "Name": "WWW", "Version": "3.0.10", "Password": "root"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xad60:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x7cc84:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x7cc84:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth
Process Memory Space: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4456	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iexplore.exe PID: 1200	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: iexplore.exe PID: 1200	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
Process Memory Space: mYh6vuKw7H.exe PID: 4792	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: mYh6vuKw7H.exe PID: 4792	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
Process Memory Space: mYh6vuKw7H.exe PID: 5728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 1740	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.iexplore.exe.400000.0.raw.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
5.2.iexplore.exe.400000.0.raw.unpack	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
1.3.mYh6vuKw7H.exe.3c642d0.0.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
1.3.mYh6vuKw7H.exe.3c642d0.0.unpack	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
5.2.iexplore.exe.400000.0.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
5.2.iexplore.exe.400000.0.unpack	JoeSecurity_XpertRAT	Yara detected XpertRAT	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack

Malware Configuration Extractor: XpertRAT {"C2 list": ["kapasky-antivirus.firewall-gateway.net:2054", "kapasky-antivirus.firewall-gateway.net:4000"], "Mutex": "U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7", "Group": "XXX", "Name": "WWW", "Version": "3.0.10", "Password": "root"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe

ReversingLabs: Detection: 40%

Multi AV Scanner detection for submitted file

Show sources

Source: mYh6vuKw7H.exe	Virustotal: Detection: 35%			Perma Link
Source: mYh6vuKw7H.exe	ReversingLabs: Detection: 40%

Source: 20.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.385e1e0.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.38ce1e0.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.mYh6vuKw7H.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 21.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.45de1e0.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.3.mYh6vuKw7H.exe.3c642d0.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.mYh6vuKw7H.exe.3d9e1e0.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.2.iexplore.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Unpacked PE file: 1.2.mYh6vuKw7H.exe.400000.0.unpack

Source: mYh6vuKw7H.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: mYh6vuKw7H.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\WerFault.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: kapasky-antivirus.firewall-gateway.net:2054
Source: Malware configuration extractor	URLs: kapasky-antivirus.firewall-gateway.net:4000

Source: global traffic

TCP traffic: 192.168.2.3:49686 -> 31.210.21.252:2054

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: unknown

DNS traffic detected: queries for: kapasky-antivirus.firewall-gateway.net

Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: mYh6vuKw7H.exe, 00000000.00000003.209735253.000000000596F000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com81i
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC%
Source: mYh6vuKw7H.exe, 00000000.00000003.210446943.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comCs
Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comJ=
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comL
Source: mYh6vuKw7H.exe, 00000000.00000003.209920096.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comT=
Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comar
Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comb=
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcd
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comd
Source: mYh6vuKw7H.exe, 00000000.00000003.209867590.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comda10
Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comht
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: mYh6vuKw7H.exe, 00000000.00000003.209851207.0000000005972000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comslnt
Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtan
Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comw1
Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comx=
Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mYh6vuKw7H.exe, 00000000.00000003.212529608.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/=
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mYh6vuKw7H.exe, 00000000.00000003.212497473.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers2
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers99a
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdiasD
Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgreta
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$D
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%Dc
Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/BE
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/TD0
Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-u
Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/BE
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/mD
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnht

Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 0_2_006D640E	0_2_006D640E
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 0_2_006D6641	0_2_006D6641
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133DAE2	1_3_0133DAE2
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_01342458	1_3_01342458
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00B8640E	1_2_00B8640E
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00B86641	1_2_00B86641
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_0029640E	8_2_0029640E
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_00BAC5E4	8_2_00BAC5E4
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_00BAEA30	8_2_00BAEA30
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_00BAEA20	8_2_00BAEA20
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_00296641	8_2_00296641
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_00DD640E	11_2_00DD640E
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_015FC5E4	11_2_015FC5E4
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_015FEA30	11_2_015FEA30
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_015FEA20	11_2_015FEA20
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F5468	11_2_075F5468
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F1278	11_2_075F1278
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4900	11_2_075F4900
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F9920	11_2_075F9920
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F21A8	11_2_075F21A8
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F0040	11_2_075F0040
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F6860	11_2_075F6860
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075FA008	11_2_075FA008
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F0898	11_2_075F0898
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F5F49	11_2_075F5F49
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4700	11_2_075F4700
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F9FF0	11_2_075F9FF0
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F5F90	11_2_075F5F90
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F9638	11_2_075F9638
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F9628	11_2_075F9628
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F46F0	11_2_075F46F0
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F0D10	11_2_075F0D10
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F0D00	11_2_075F0D00
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F6D90	11_2_075F6D90
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4478	11_2_075F4478
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4488	11_2_075F4488
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F5360	11_2_075F5360
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F3BC8	11_2_075F3BC8
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F53C1	11_2_075F53C1
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F3BB8	11_2_075F3BB8
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4250	11_2_075F4250
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F4240	11_2_075F4240
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F1268	11_2_075F1268
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F7298	11_2_075F7298
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F7288	11_2_075F7288
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F9910	11_2_075F9910
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F590A	11_2_075F590A
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F2181	11_2_075F2181
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F6850	11_2_075F6850
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F3068	11_2_075F3068
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F3066	11_2_075F3066
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F001E	11_2_075F001E
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F48F2	11_2_075F48F2
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F0889	11_2_075F0889
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_00DD6641	11_2_00DD6641

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76

Source: mYh6vuKw7H.exe	Binary or memory string: OriginalFilename vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename2.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
Source: mYh6vuKw7H.exe, 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000000.00000002.238175883.0000000007530000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000000.00000002.229900126.0000000002B39000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSmartFormat.dll8 vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe	Binary or memory string: OriginalFilename vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADrvv@ vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000001.00000003.238059404.0000000003C65000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADX0ve@ vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000001.00000003.251595646.00000000013ED000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADrvv=4 vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe, 00000001.00000002.251887637.0000000000400000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename2.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
Source: mYh6vuKw7H.exe, 00000001.00000002.252383680.0000000002CC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs mYh6vuKw7H.exe
Source: mYh6vuKw7H.exe	Binary or memory string: OriginalFilename1FHG vs mYh6vuKw7H.exe

Source: mYh6vuKw7H.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/7@1/1

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mYh6vuKw7H.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDA60EFE2D9C19F68.TMP

Jump to behavior

Source: mYh6vuKw7H.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mYh6vuKw7H.exe	Virustotal: Detection: 35%
Source: mYh6vuKw7H.exe	ReversingLabs: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\mYh6vuKw7H.exe 'C:\Users\user\Desktop\mYh6vuKw7H.exe'
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Users\user\Desktop\mYh6vuKw7H.exe {path}
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Users\user\Desktop\mYh6vuKw7H.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: mYh6vuKw7H.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: mYh6vuKw7H.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: mYh6vuKw7H.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Unpacked PE file: 1.2.mYh6vuKw7H.exe.400000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: mYh6vuKw7H.exe, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.mYh6vuKw7H.exe.6d0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.mYh6vuKw7H.exe.6d0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.mYh6vuKw7H.exe.b80000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.mYh6vuKw7H.exe.b80000.1.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.5.dr, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.290000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.290000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.dd0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.dd0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.3d0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.3d0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.bb0000.0.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.bb0000.1.unpack, SortingVisualizer/frmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: mYh6vuKw7H.exe

Static PE information: 0xDB5235E3 [Wed Aug 7 22:34:11 2086 UTC]

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 0_2_006DB76B push es; retf	0_2_006DB76C
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133C9A2 pushad ; iretd	1_3_0133CEA9
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133C9A2 pushad ; iretd	1_3_0133CEA9
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133C9A2 pushad ; iretd	1_3_0133CEA9
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_3_0133C9A2 pushad ; iretd	1_3_0133CEA9
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00402550 push 004010A4h; ret	1_2_00402563
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00402564 push 004010A4h; ret	1_2_00402577
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_0040250F push 004010A4h; ret	1_2_0040254F
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00402A38 push 004010A4h; ret	1_2_00402D77
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00402D9A push ebp; retf	1_2_00402D9B
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Code function: 1_2_00B8B76B push es; retf	1_2_00B8B76C
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_0029B76B push es; retf	8_2_0029B76C
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 8_2_00BADFE0 push 2C04B4CBh; retf	8_2_00BADFE5
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_00DDB76B push es; retf	11_2_00DDB76C
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_015FDFE0 push 2C0321CBh; retf	11_2_015FDFE5
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Code function: 11_2_075F621E push ds; iretd	11_2_075F621F

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7

Jump to behavior

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7			Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4456, type: MEMORY
Source: Yara match	File source: Process Memory Space: mYh6vuKw7H.exe PID: 5728, type: MEMORY
Source: Yara match	File source: Process Memory Space: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 1740, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: mYh6vuKw7H.exe, 00000000.00000002.229900126.0000000002B39000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.292297226.0000000002621000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.308025525.0000000003379000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: mYh6vuKw7H.exe, 00000000.00000002.229900126.0000000002B39000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.292297226.0000000002621000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.308025525.0000000003379000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Window / User API: threadDelayed 6015			Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Window / User API: threadDelayed 3984			Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe TID: 2408	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe TID: 672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 4576	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 4716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 3636	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 5496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 5856	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe TID: 2000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.327011961.00000000025F9000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Memory written: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Memory written: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 42A008	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 442000	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 7E8008	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Users\user\Desktop\mYh6vuKw7H.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Process created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}	Jump to behavior

Source: iexplore.exe	Binary or memory string: Program Manager
Source: iexplore.exe, 00000005.00000002.481559785.00000000034F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, iexplore.exe	Binary or memory string: Progman
Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, iexplore.exe, 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Program ManagerCopyHere
Source: iexplore.exe, 00000005.00000002.481559785.00000000034F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Users\user\Desktop\mYh6vuKw7H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mYh6vuKw7H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center UACDisableNotify

Jump to behavior

Disables user account control notifications

Show sources

Source: C:\Users\user\Desktop\mYh6vuKw7H.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : Select * From antivirusProduct
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From antivirusProduct
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : Select * From FirewallProduct
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From FirewallProduct

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iexplore.exe PID: 1200, type: MEMORY
Source: Yara match	File source: Process Memory Space: mYh6vuKw7H.exe PID: 4792, type: MEMORY
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected XpertRAT

Show sources

Source: Yara match	File source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iexplore.exe PID: 1200, type: MEMORY
Source: Yara match	File source: Process Memory Space: mYh6vuKw7H.exe PID: 4792, type: MEMORY
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected XpertRAT

Show sources

Source: Yara match	File source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iexplore.exe PID: 1200, type: MEMORY
Source: Yara match	File source: Process Memory Space: mYh6vuKw7H.exe PID: 4792, type: MEMORY
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Registry Run Keys / Startup Folder21	Process Injection312	Masquerading1	Input Capture11	Security Software Discovery211	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder21	Disable or Modify Tools21	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Bypass User Access Control1	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing21	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Bypass User Access Control1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mYh6vuKw7H.exe	35%	Virustotal		Browse
mYh6vuKw7H.exe	40%	ReversingLabs	ByteCode-MSIL.Infostealer.Coins

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe	40%	ReversingLabs	ByteCode-MSIL.Infostealer.Coins

Unpacked PE Files

Source	Detection	Scanner	Label	Download
20.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.385e1e0.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.38ce1e0.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.2.mYh6vuKw7H.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
21.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.45de1e0.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.3.mYh6vuKw7H.exe.3c642d0.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.mYh6vuKw7H.exe.3d9e1e0.3.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.2.iexplore.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
kapasky-antivirus.firewall-gateway.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.comJ=	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnht	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
kapasky-antivirus.firewall-gateway.net:2054	0%	Avira URL Cloud	safe
http://www.carterandcone.comar	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/BE	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.comx=	0%	Avira URL Cloud	safe
http://www.carterandcone.comC%	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$D	0%	Avira URL Cloud	safe
http://www.fontbureau.comdiasD	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
kapasky-antivirus.firewall-gateway.net:4000	0%	Avira URL Cloud	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.carterandcone.comCs	0%	Avira URL Cloud	safe
http://www.carterandcone.comda10	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.carterandcone.comht	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/TD0	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/mD	0%	Avira URL Cloud	safe
http://www.carterandcone.comtan	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comb=	0%	Avira URL Cloud	safe
http://www.carterandcone.comL	0%	Avira URL Cloud	safe
http://www.carterandcone.comw1	0%	Avira URL Cloud	safe
http://www.carterandcone.com81i	0%	Avira URL Cloud	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comT=	0%	Avira URL Cloud	safe
http://www.carterandcone.comslnt	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.carterandcone.comcd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/%Dc	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/BE	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0-u	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kapasky-antivirus.firewall-gateway.net	31.210.21.252	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kapasky-antivirus.firewall-gateway.net:2054	true	Avira URL Cloud: safe	unknown
kapasky-antivirus.firewall-gateway.net:4000	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comJ=	mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/?	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cnht	mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comar	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/=	mYh6vuKw7H.exe, 00000000.00000003.212529608.0000000005970000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comal	mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers99a	mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/BE	mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comx=	mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers	U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comC%	mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.goodfont.co.kr	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/$D	mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdiasD	mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comC	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgreta	mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comCs	mYh6vuKw7H.exe, 00000000.00000003.210446943.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comda10	mYh6vuKw7H.exe, 00000000.00000003.209867590.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp//	mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comht	mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/TD0	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/mD	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comtan	mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.como.	mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comb=	mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comL	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comw1	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	mYh6vuKw7H.exe, 00000000.00000003.209735253.000000000596F000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.com81i	mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comd	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comTC	mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comT=	mYh6vuKw7H.exe, 00000000.00000003.209920096.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comslnt	mYh6vuKw7H.exe, 00000000.00000003.209851207.0000000005972000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comcd	mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/%Dc	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/BE	mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0-u	mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers2	mYh6vuKw7H.exe, 00000000.00000003.212497473.0000000005970000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.210.21.252	kapasky-antivirus.firewall-gateway.net	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	397625
Start date:	26.04.2021
Start time:	08:50:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mYh6vuKw7H.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/7@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.8% (good quality ratio 5.1%) Quality average: 56.5% Quality standard deviation: 36%
HCA Information:	Successful, ratio: 92% Number of executed functions: 52 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 184.30.24.56, 168.61.161.212 Excluded domains from analysis (whitelisted): skypedataprdcoleus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:51:53	API Interceptor	1x Sleep call for process: mYh6vuKw7H.exe modified
08:52:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
08:52:15	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
08:52:21	API Interceptor	3x Sleep call for process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe modified
08:52:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.210.21.252	Xi9F1U1mti.exe	Get hash	malicious	Browse
31.210.21.252	PyQdnx9PHg.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
kapasky-antivirus.firewall-gateway.net	juFSQ6AmWQ.exe	Get hash	malicious	Browse	45.85.90.92
	8mOB0MBW71.exe	Get hash	malicious	Browse	45.154.4.64
	16j7nmOOPS.exe	Get hash	malicious	Browse	45.154.4.64
	RFQ_Quotation_33645.jar	Get hash	malicious	Browse	45.154.4.64
	RFQ_Quotation_33645.jar	Get hash	malicious	Browse	45.154.4.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	Xi9F1U1mti.exe	Get hash	malicious	Browse	31.210.21.252
	RE NEW PO- PO20- 1st Revised.jar	Get hash	malicious	Browse	31.210.20.96
	RE NEW PO- PO20- 1st Revised.jar	Get hash	malicious	Browse	31.210.20.96
	PyQdnx9PHg.exe	Get hash	malicious	Browse	31.210.21.252
	n6osajjc938.exe	Get hash	malicious	Browse	46.229.45.30
	gunzipped.exe	Get hash	malicious	Browse	31.210.20.121
	DHL Shipments Docs Arrival.exe	Get hash	malicious	Browse	31.210.20.228
	Worksheet.exe	Get hash	malicious	Browse	31.210.20.121
	DHL Shipments Docs Arrival.exe	Get hash	malicious	Browse	31.210.20.228
	SecuriteInfo.com.Variant.Graftor.941749.26444.exe	Get hash	malicious	Browse	31.210.20.4
	uNttFPI36y.exe	Get hash	malicious	Browse	151.106.118.75
	4OJCZ2ZS46.exe	Get hash	malicious	Browse	31.210.20.71
	Payment.exe	Get hash	malicious	Browse	31.210.20.71
	OPEN_2021-04-12_06-58.exe	Get hash	malicious	Browse	31.210.20.58
	Enclosed Proforma Invoice INV-00628934.PDF.ex.exe	Get hash	malicious	Browse	31.210.20.71
	OPEN_2021-04-09_10-21.exe	Get hash	malicious	Browse	31.210.20.58
	50729032021.xlsx	Get hash	malicious	Browse	151.106.118.75
	OPEN_2021-03-25_12-53.exe	Get hash	malicious	Browse	31.210.20.58
	1LHKlbcoW3.exe	Get hash	malicious	Browse	151.106.118.75
	mar2403.xlsx	Get hash	malicious	Browse	151.106.118.75

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mYh6vuKw7H.exe.log Download File
Process:	C:\Users\user\Desktop\mYh6vuKw7H.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\computer+user.bmp Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PC bitmap, Windows 3.x format, 448 x 448 x 24
Category:	dropped
Size (bytes):	602168
Entropy (8bit):	0.25978605779599007
Encrypted:	false
SSDEEP:	48:hkXfv+iwkeaG/Ni6B4vtctwsNW6B4RU4SQB5pmyhbvNSFfCXDvSKqVvNThGUDRBk:hssNW6BRg
MD5:	DC2C42110B7D84F144C6D905A3DDA74E
SHA1:	DF7F5A8BC73382BC6011C7D2374CBC1BBE90B056
SHA-256:	4E07A1A6FBB5F29252A7C7AD7C3C80B32B4CC8BAEB832DBE40C38BBF85D984E7
SHA-512:	5F4414F508CFC94F0DCDC5DF438465450443270903AC11336DC59BD55335FAB74BCBFB57BEC8791FF6E4CAA247A3B449A918CF6A64290C6510CB52B44D0B4730
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	BM80......6...(....................0..................ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.66449777920046
Encrypted:	false
SSDEEP:	3:z/WSjdYOVO:z/zdYOVO
MD5:	0AA850F081A24A3B3A40988C00B1253F
SHA1:	46BA8BE4FFC25F87B2CFC477C8E8CF232DE930C0
SHA-256:	843456DE1AD0D50C545601093A0B38C8CB6925BE9CDA58670AC3F51474375A55
SHA-512:	A716F9F6669605BE107E258734C5F855BEF50F8D9B10CB9B9CF5D13FD404324630132ECC74E66A149294CC219C3A53CEFD3ADC7BB812C6F69ECBA2F4212DE60B
Malicious:	true
Reputation:	low
Preview:	...u...!...B.z.}D..r....

C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	826880
Entropy (8bit):	6.568718822236993
Encrypted:	false
SSDEEP:	12288:jrenoLLoS60/K7yh0rd5G2cpFdDOd5lmiql83fW61wI0jPyCs:jqnoLAbcpHD0lvqOu61wfPyC
MD5:	95A3B26416F41375EF06106FB58A3764
SHA1:	952F57980D5105D94BC2E0AE389F0CC7E44AE27D
SHA-256:	F8E52FA75724EB08C0EC68DB6799740AD36C7178B8F0DD7C8B0EE755FF60C653
SHA-512:	160E9DD666333B81C9685A21FD7620B499E9973743B637D4F52A30567C1A81FCC9CBA4A984E9C1715DD9D36993034EC0697C36327803754EF725EB6D86E991B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5R...............0.............F.... ........@.. ....................................@.....................................O................................................................................... ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................(.......H.......`...........O...@................................................0...........(......(.........~....r...p(.........~....(.........,..~....(....&.~.........,F..~....(.......+.........r...po...........,..~.....X.........X....i2....}......}......r#..p......r#..p}.....r#..p}....~.....Y......0..F.........{....(.........,....+,~....r...p.{....r%..p(....(......,....+...+.....0.. ..........L...%..{.....%..{........+...0............{....r/..p.{....(.....+..*.0..a........r..

C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.pas Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	7.896125082104071
Encrypted:	false
SSDEEP:	3072:scDl4+itXFtk53B5Na74wIb1YgBF076sXzj9dI3TNDHaeliNRviSgADe9wrAI5HL:F8fYBlwI6uF0TjjPI3T/0hqKrRUqqV0R
MD5:	0A6D53309FBA71A87D6AFEBC09F0566F
SHA1:	2229FC6A9F77DA1F1A7A77036B518600C48A5172
SHA-256:	4A8281E89DD705E24FF7511E91A6C4B898727B386097705E1373AF1FD4007A00
SHA-512:	62CE2F74AE8FBDEF35783E2CDB6C0AC938FC128F9A4475C73E1FE449355AB734120CEE4522AB3AF2BA26592BA9C6BFEE9730FDF99A6E0A3F2D65EB79708DEAD8
Malicious:	false
Preview:	..0/g..9..3Lu=..49&%.^G.1qgB\.w.q~]vuW...?';>u"3...64...Bt.E.7.DeL2t.FUL..51.iL\|`F/4y.I.mSJyL.zV.\.t.50y.c..+.0WG7?.=%.L..7,;%!r5SPI0$.b.0....>o)..V.xOX@qVm1kc.@{).r62F....lL=.F...LR2.}.F.pBh...Y-%.$.z.TUhZ..w..b...V-+.4..n.-.BZ.sFzLV.p15i.PbB...zDUg.DeM9u^jUJ..=..h.PaB..u7E.l.Df..wV..Z.Y.10...e...t7%Pg0.kL4.R.WJS.2.6iLQcE.<v6..oO"ZM&.}.ZN_26d.9.a.[..q.@c.P..L2..Kd.V.w,.V..b.fp4.k".<6.M8..BaXUQ..4m.Q.K.{sHF/}@;v3".FEy{b.35.xplKm9.7.c.2...ZTH@U...=.4)BwfB..w7.P..5...IB.L.M....Bc.(n.2.....1..5R.U.RS...NQ".k...0.m....g".qU.f.r.a=.S..k0.zJ.O..Xy...j.ws.)...Bjx......D..=.^Q.UQ..ydV8B..tL...D(O.....U.n..m7B....;:g'D..a..5U.UG..H..B.<ud.E9.D\|$..5.%U..5.oM.0B.<A]u..D._....UZ.!4L...B.?....YDl.4.V..mUZ...,\|.BkD&.R.UQDW\e..ZEU.......#B.\..M`.D]D.\|.y..U.:09Y.<B.i......D]D.}Ty..U._V.\...B.V.'S...D..q...XqUk..4.7].B...1.].OD6&=...9sU.E.9....B.K.....D...3....U"R7i.C..B....6..DS.7..N."U.K.Y..1.B....M..D........U.91dZ..PBx?Y.1..>Dg..J]HUQ.!vg..AB.4{2.Ok:D.7.s.FuGU[0;..%.{B

C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\ut Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PC bitmap, Windows 3.x format, 448 x 448 x 24
Category:	dropped
Size (bytes):	602166
Entropy (8bit):	0.2596884454885967
Encrypted:	false
SSDEEP:	48:KXfv+iwkeaG/Ni6B4vtctwsNW6B4RU4SQB5pmyhbvNSFfCXDvSKqVvNThGUDRBuN:6sNW6BRg
MD5:	9A0951D6E69265802A0154A5C6521C72
SHA1:	525B1B4FB7CF93C08D5DA89A55543D6F35EE5781
SHA-256:	28C19C4CC0594141C2752FA2E3CDB93AE2BBE128DB13734C5DBB9C5C7555F567
SHA-512:	A89EEEFEC69180BD88C78BBE5B863521F37F404A7C6BFEC464CA317B6FF4BB6A35C4DE020A5295258767589C7517A3CFB690DEACC5044BF6ED31962CE396E8C7
Malicious:	false
Preview:	BM60......6...(....................0..................ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.568718822236993
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	mYh6vuKw7H.exe
File size:	826880
MD5:	95a3b26416f41375ef06106fb58a3764
SHA1:	952f57980d5105d94bc2e0ae389f0cc7e44ae27d
SHA256:	f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
SHA512:	160e9dd666333b81c9685a21fd7620b499e9973743b637d4f52a30567c1a81fcc9cba4a984e9c1715dd9d36993034ec0697c36327803754ef725eb6d86e991b8
SSDEEP:	12288:jrenoLLoS60/K7yh0rd5G2cpFdDOd5lmiql83fW61wI0jPyCs:jqnoLAbcpHD0lvqOu61wfPyC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5R...............0.............F.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4cb346
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDB5235E3 [Wed Aug 7 22:34:11 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb2f4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcb2d8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc934c	0xc9400	False	0.561850980202	data	6.57360119113	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x5d4	0x600	False	0.43359375	data	4.21976551568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xcc090	0x344	data
RT_MANIFEST	0xcc3e4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	1FHGWA.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	SortingVisualizer
ProductVersion	1.0.0.0
FileDescription	SortingVisualizer
OriginalFilename	1FHGWA.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2021 08:52:06.051461935 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:06.106482029 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:06.106607914 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:06.108239889 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:06.160754919 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:06.280827045 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:06.377408981 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.565330982 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.566977978 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.650672913 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.677284002 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.678862095 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.728833914 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.728975058 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.731314898 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.787617922 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.787870884 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.787905931 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.787921906 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.787938118 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.787950993 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.787990093 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.788044930 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.840466976 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840676069 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840694904 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840711117 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840727091 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840742111 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840744972 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.840761900 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840780973 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.840785980 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.840831041 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.845995903 CEST	49688	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.858570099 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892700911 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892744064 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892770052 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892772913 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.892793894 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892813921 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.892818928 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892842054 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892859936 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.892867088 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892890930 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892908096 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.892915010 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892944098 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892956972 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.892968893 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.892992973 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.893009901 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.893017054 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.893040895 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.893052101 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.894638062 CEST	2054	49688	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.894740105 CEST	49688	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.896136045 CEST	49688	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.907527924 CEST	49689	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948335886 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948410988 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948420048 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948474884 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948523045 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948530912 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948574066 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948616982 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948617935 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948657036 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948682070 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948710918 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948733091 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948770046 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948780060 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948810101 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948848009 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948849916 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948894024 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.948936939 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.948940039 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949018955 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949055910 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949067116 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949091911 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949125051 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949134111 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949162006 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949198961 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949208021 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949237108 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949259996 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949285030 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949297905 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949338913 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949356079 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949413061 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949454069 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949465990 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.949492931 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.949536085 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:07.964325905 CEST	2054	49688	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.965632915 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:07.990727901 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.004761934 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004812956 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004837036 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004862070 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004861116 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.004889011 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004903078 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.004914999 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004940987 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004961014 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.004967928 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.004990101 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.004993916 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005018950 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005039930 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005045891 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005070925 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005084038 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005095005 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005119085 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005136013 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005142927 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005172014 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005179882 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005196095 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005219936 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005244970 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005251884 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005269051 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005287886 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.005295992 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.005337000 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.058331966 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.078572035 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.078610897 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.078666925 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.079514027 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079545021 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079586983 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.079675913 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079698086 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079737902 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.079741001 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079767942 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079780102 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.079855919 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079876900 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.079898119 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.080271006 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080298901 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080333948 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.080518007 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080542088 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080578089 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.080698013 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080723047 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080744028 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.080935001 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080957890 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.080985069 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081166029 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081191063 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081235886 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081334114 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081356049 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081377983 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081474066 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081496000 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081521988 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081662893 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081686974 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081712961 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081835032 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081856966 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081922054 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.081953049 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.081975937 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082000971 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.082138062 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082165003 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082189083 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.082297087 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082319021 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082357883 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:08.082473040 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:08.082520008 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:10.975574970 CEST	49689	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:11.025999069 CEST	2054	49689	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:11.026267052 CEST	49689	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:11.028131008 CEST	49689	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:11.029650927 CEST	49690	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:11.108455896 CEST	2054	49689	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:13.089473009 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:13.178735018 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:13.543808937 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:13.584949017 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.038086891 CEST	49690	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.090620041 CEST	2054	49690	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.090742111 CEST	49690	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.092849970 CEST	49690	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.092983961 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.093411922 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.141578913 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.141652107 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.141690016 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.141791105 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.141977072 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142023087 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142061949 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142074108 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142102003 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142142057 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142179966 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142219067 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142256021 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142266989 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142302990 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142302036 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142348051 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142365932 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142389059 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142431021 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142471075 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142484903 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142508984 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142537117 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142549038 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142586946 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142610073 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142642975 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142698050 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142729998 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142740011 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142786980 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142812014 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142823935 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142863035 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142869949 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142904043 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142941952 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.142963886 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.142978907 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143028021 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143028975 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143071890 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143110991 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143146992 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143151045 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143186092 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143205881 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143224001 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143276930 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143295050 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143332958 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143368959 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143381119 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143408060 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143446922 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143450975 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143484116 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143522024 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143559933 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143570900 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143605947 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143608093 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143661022 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143697977 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143732071 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143734932 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143774986 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143810987 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.143840075 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.143878937 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.166305065 CEST	2054	49690	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.191299915 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.241250038 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.566149950 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.606033087 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.617212057 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.617240906 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.617295027 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.617341042 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.621409893 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.668246984 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.670937061 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.670965910 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.670983076 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.670999050 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671015024 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671032906 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671029091 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671049118 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671068907 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671068907 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671087980 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671103954 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671118975 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671123981 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671137094 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671152115 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671154022 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671169043 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671185017 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671202898 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671216011 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671221972 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671237946 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671251059 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:14.671258926 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:14.671294928 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:16.560276031 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:16.628649950 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:18.798625946 CEST	49687	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:18.798929930 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:18.850681067 CEST	2054	49687	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:18.859818935 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:18.913456917 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:31.275018930 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:52:31.275897980 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:52:31.374159098 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:01.303642035 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:01.306020021 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:01.406375885 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:16.284977913 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:16.286569118 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:16.324496031 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:16.335597992 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:16.335803032 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:16.338794947 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:16.414773941 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:16.880882025 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:16.898611069 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:16.969073057 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:17.450237036 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:17.496445894 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:17.830055952 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:17.899064064 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.182183027 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.182600975 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.233242035 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.233262062 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.233464003 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.233562946 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.234862089 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.235196114 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.285526037 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.285646915 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:18.289479017 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.336980104 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.343590975 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:18.387125015 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:31.299642086 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:31.299969912 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:31.300442934 CEST	49686	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:31.341331005 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:31.391072035 CEST	2054	49686	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:32.028956890 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:32.029320002 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:32.079950094 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:32.080022097 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:32.080035925 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:32.133408070 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:32.185213089 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:33.032048941 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:33.032325983 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:33.082777023 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:33.082820892 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:33.082855940 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:33.082865000 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:33.146909952 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:33.200877905 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.292496920 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.292781115 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.343949080 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.343969107 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.344036102 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.428190947 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.437537909 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.482808113 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.623677015 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.624021053 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.678142071 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.678217888 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:38.728771925 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:38.779434919 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:40.456914902 CEST	2054	49708	31.210.21.252	192.168.2.3
Apr 26, 2021 08:53:40.457130909 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:40.531563997 CEST	49708	2054	192.168.2.3	31.210.21.252
Apr 26, 2021 08:53:40.580955029 CEST	2054	49708	31.210.21.252	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2021 08:51:41.888035059 CEST	51904	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:51:41.936629057 CEST	53	51904	8.8.8.8	192.168.2.3
Apr 26, 2021 08:51:42.797611952 CEST	61328	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:51:42.854826927 CEST	53	61328	8.8.8.8	192.168.2.3
Apr 26, 2021 08:51:43.590799093 CEST	54130	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:51:43.640702009 CEST	53	54130	8.8.8.8	192.168.2.3
Apr 26, 2021 08:51:44.576752901 CEST	56961	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:51:44.627007961 CEST	53	56961	8.8.8.8	192.168.2.3
Apr 26, 2021 08:51:45.434290886 CEST	59353	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:51:45.485877991 CEST	53	59353	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:05.974265099 CEST	52238	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:06.039355040 CEST	53	52238	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:15.003690004 CEST	49873	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:15.067033052 CEST	53	49873	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:18.965415955 CEST	53196	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:19.017782927 CEST	53	53196	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:19.829530954 CEST	56777	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:19.893464088 CEST	53	56777	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:20.850656986 CEST	58643	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:20.903491020 CEST	53	58643	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:22.770585060 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:22.822380066 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:25.083201885 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:25.132935047 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:26.267080069 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:26.328526020 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:29.059019089 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:29.107590914 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:30.122246027 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:30.184159994 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:31.310329914 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:31.372395039 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:32.145282984 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:32.195693970 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:33.733953953 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:33.782598019 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:35.130295038 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:35.194488049 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:36.098850012 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:36.155441999 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 26, 2021 08:52:37.040864944 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 26, 2021 08:52:37.089737892 CEST	53	65110	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 26, 2021 08:52:05.974265099 CEST	192.168.2.3	8.8.8.8	0x596d	Standard query (0)	kapasky-antivirus.firewall-gateway.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 26, 2021 08:52:06.039355040 CEST	8.8.8.8	192.168.2.3	0x596d	No error (0)	kapasky-antivirus.firewall-gateway.net		31.210.21.252	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: mYh6vuKw7H.exe PID: 5728 Parent PID: 5624

General

Start time:	08:51:47
Start date:	26/04/2021
Path:	C:\Users\user\Desktop\mYh6vuKw7H.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mYh6vuKw7H.exe'
Imagebase:	0x6d0000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: mYh6vuKw7H.exe PID: 4792 Parent PID: 5728

General

Start time:	08:51:55
Start date:	26/04/2021
Path:	C:\Users\user\Desktop\mYh6vuKw7H.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb80000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_GenericDropper, Description: Yara detected Generic Dropper, Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_XpertRAT, Description: Yara detected XpertRAT, Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDropper, Description: Yara detected Generic Dropper, Source: 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_XpertRAT, Description: Yara detected XpertRAT, Source: 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 4856 Parent PID: 4792

General

Start time:	08:51:57
Start date:	26/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\mYh6vuKw7H.exe
Imagebase:	0x1290000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 2024 Parent PID: 4856

General

Start time:	08:51:59
Start date:	26/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76
Imagebase:	0x1100000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1200 Parent PID: 4792

General

Start time:	08:52:02
Start date:	26/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\mYh6vuKw7H.exe
Imagebase:	0x1290000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GenericDropper, Description: Yara detected Generic Dropper, Source: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_XpertRAT, Description: Yara detected XpertRAT, Source: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4456 Parent PID: 3388

General

Start time:	08:52:15
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Imagebase:	0x290000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 40%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 1740 Parent PID: 3388

General

Start time:	08:52:24
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Imagebase:	0xdd0000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 6024 Parent PID: 4456

General

Start time:	08:52:24
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3d0000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 6028 Parent PID: 4456

General

Start time:	08:52:25
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xbb0000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4752 Parent PID: 1740

General

Start time:	08:52:31
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x720000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 5852 Parent PID: 3388

General

Start time:	08:52:32
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
Imagebase:	0x170000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4900 Parent PID: 5852

General

Start time:	08:52:40
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xeb0000
File size:	826880 bytes
MD5 hash:	95A3B26416F41375EF06106FB58A3764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mYh6vuKw7H.exe PID: 5728 Parent PID: 5624 mYh6vuKw7H.exeCOMMON

Executed Functions

Non-executed Functions

Function 006D640E, Relevance: 2.1, Instructions: 2092COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.229179231.00000000006D2000.00000002.00020000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.229173341.00000000006D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229222538.0000000000721000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229244836.0000000000741000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6531ae5b10f1e18d780e373763fc2290ac28798bc02c7827f0b31e8e114c485
Instruction ID: 731d4116f272485778e888427f46f446f155e96def3e1fed8d2dc6b3e7dbc679
Opcode Fuzzy Hash: a6531ae5b10f1e18d780e373763fc2290ac28798bc02c7827f0b31e8e114c485
Instruction Fuzzy Hash: C70367A284E3C19FC7138B749CB56D17FB1AE6321871E44CBD4C0CF1A3E2195A5ADB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mYh6vuKw7H.exe PID: 4792 Parent PID: 5728 mYh6vuKw7H.exeCOMMON

Executed Functions

Function 004010B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 63%

			_entry_(signed int __eax) {
				intOrPtr* _t3;
				signed int _t5;
				void* _t7;

				_push("VB5!6&*"); // executed
				L004010B0(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t3 = __eax - 1;
				 *_t3 =  *_t3 + _t3;
				 *_t3 =  *_t3 + _t3;
				 *_t3 =  *_t3 + _t3;
				asm("repne pushad");
				asm("scasb");
				asm("iretd");
				_t5 = 0x00000030 &  *(_t7 - 0x47);
				asm("out dx, eax");
				return _t5;
			}

0x004010b8
0x004010bd
0x004010c2
0x004010c4
0x004010c6
0x004010c8
0x004010ca
0x004010cc
0x004010cd
0x004010cf
0x004010d2
0x004010d4
0x004010d8
0x004010d9
0x004010da
0x004010e1
0x004010e2

APIs

#100.MSVBVM60(VB5!6&*), ref: 004010BD

Strings

VB5!6&*, xrefs: 004010B8

Memory Dump Source

Source File: 00000001.00000002.251887637.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: c7bc0ee79263a740fcc700dbfee023080fb0fa70b19aebc9ee43064f4584c908
Instruction ID: b6739bdf349da0691ce75642d0dce650f11d74407005aab234596499848b2d89
Opcode Fuzzy Hash: c7bc0ee79263a740fcc700dbfee023080fb0fa70b19aebc9ee43064f4584c908
Instruction Fuzzy Hash: D2D0B14549E3C00ED30353B459299556F704C436A431F42E7E480DE0E3D5984949C377

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: iexplore.exe PID: 1200 Parent PID: 4792 iexplore.exeCOMMON

Executed Functions

Function 00401364, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401369

Strings

VB5!6&*, xrefs: 00401364

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 9b5013c4cf67569665f26d2c48c447d5ba9a3fcb56707d59ace42e3b0aeb6654
Instruction ID: b7f46b07fd2382989242c00de91e411bf3b00ebe0bc19311e73dd1aa04708b72
Opcode Fuzzy Hash: 9b5013c4cf67569665f26d2c48c447d5ba9a3fcb56707d59ace42e3b0aeb6654
Instruction Fuzzy Hash: 94E0536610E3C0AED3135B609A622053FB4AA4734170A84F7D9D0EA8F3C63C9888C33A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE30, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cba679f7ad99be25a7cd36ba3732a393cf453f96187e8ab0eda7d50836c6e2
Instruction ID: fd7bf7fef8992ef2e6e9ccd912d44d70071294ca33ce019f73598511de6408bd
Opcode Fuzzy Hash: 71cba679f7ad99be25a7cd36ba3732a393cf453f96187e8ab0eda7d50836c6e2
Instruction Fuzzy Hash: CF01125588E3C59FD32393B04CA51613F609D0B28032E0AEBD4D6EF0E3D66D580AC36B

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB4C, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1c91c5a41bd9a17a00ee0cbf0e8510504893d4d65c380886eeb425a56aeffb
Instruction ID: ae50e0a30e2fd396379325260d69368478f870d7f3126bba6bac6e1fc69d4a30
Opcode Fuzzy Hash: 3a1c91c5a41bd9a17a00ee0cbf0e8510504893d4d65c380886eeb425a56aeffb
Instruction Fuzzy Hash: 9EE01A1058D3C15FE70353700C657553F609F072A8F2A09EBC9A5DE5E7D65C5D0A836E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D874, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7a93f12f6ceac68c3c6e57f9da98a08758eb5ef389da310894da6bcec74716
Instruction ID: e9acff41310a612d4141351b175bce2eafd3288dbdb7fda07d373d2081b32fd3
Opcode Fuzzy Hash: 9f7a93f12f6ceac68c3c6e57f9da98a08758eb5ef389da310894da6bcec74716
Instruction Fuzzy Hash: 35E0484698E3C10FD31366A10C205502F71891764032A45EBD5A5DE5E3C85E8D0E873A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D036, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddec02d60ecac49bc21286b0f37acba873a846efdbf5481605bbb62840242978
Instruction ID: 4deff4bfb06445af4152e2ddde9cd1b592112ee6ed4779f82b465025d6fef90e
Opcode Fuzzy Hash: ddec02d60ecac49bc21286b0f37acba873a846efdbf5481605bbb62840242978
Instruction Fuzzy Hash: FEE0480098E3C19FD31393B408255612FB48847244B5E89EBD999DE0E3CA5E8C0FD336

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFB2, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4761dd2a8e6df04143fc0fb44877c9891ec621d7e69019f4f9925d0dd5c5fdc3
Instruction ID: e1ea6b055517d1e7239180d9e6af86da22ce10ec25c77aebebd11128acb11a82
Opcode Fuzzy Hash: 4761dd2a8e6df04143fc0fb44877c9891ec621d7e69019f4f9925d0dd5c5fdc3
Instruction Fuzzy Hash: 8FD0485058E3C29EC31343600C665622F728A0725031A0AEBD695DF1E3C96D480A87BB

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0F6, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0562bf17c4c4f36732c2b5164eb1f641243ebe8d5ab6b1f80788cdecbb45e8
Instruction ID: 4bf93f5148363bf18c72a930363c5483a9ebf0b62c1dbef03ccbe70fa8e34327
Opcode Fuzzy Hash: da0562bf17c4c4f36732c2b5164eb1f641243ebe8d5ab6b1f80788cdecbb45e8
Instruction Fuzzy Hash: 06D06C5498F3C19EC71353B40C645622F708A4724432E05EBD695DE1E3C86D9C0ED33B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D076, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475290269.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a700226b00a0c9ae91461f28642d5cbe539946352a884aa9ec8f07c843daf3
Instruction ID: b5bb26d9b2da3abdf8955492d2c9f8ecd773af7b928047d8870461a20f8ff6ec
Opcode Fuzzy Hash: b7a700226b00a0c9ae91461f28642d5cbe539946352a884aa9ec8f07c843daf3
Instruction Fuzzy Hash: 49D06C81D8E3C15FD31352B00C246102F709E17284B2A09FBD188DE1F3DA5E8E0EC32A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 4456 Parent PID: 3388 U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCOMMON

Executed Functions

Function 00BA9768, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BA99AE

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bce78f670674992e11ca6029c5707831fa254b952ac81a3fcc4dcab75c589f6f
Instruction ID: cebacaa2983231c98a14bf356e213789fda9602c70558ec72af43fc2cc11f796
Opcode Fuzzy Hash: bce78f670674992e11ca6029c5707831fa254b952ac81a3fcc4dcab75c589f6f
Instruction Fuzzy Hash: C7713470A04B058FD724DF2AD09075ABBF1FF8A304F00896EE49ADBA50DB35E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5364, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BA5421

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 76a0b0ada5a25e819dd233c3b2d19307ad27dbc9028b1bf1652cec20f3a164b2
Instruction ID: 7196d61fbf4cf4f4989cf553c815571a116a7683fa5d441eda4c257bfa2c3a0e
Opcode Fuzzy Hash: 76a0b0ada5a25e819dd233c3b2d19307ad27dbc9028b1bf1652cec20f3a164b2
Instruction Fuzzy Hash: 0041F271C04618CFDB24DFA5C8447DDBBB1FF49304F2080AAD408AB251DB756946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BA5421

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c17a31904417056f69aecc08debbc93c2741c38dd6dc84c3df3c41c0b88c364
Instruction ID: 351d1f34bb95b2eff34ba84144e4c193e1272261cc00071b4f620ad949966443
Opcode Fuzzy Hash: 8c17a31904417056f69aecc08debbc93c2741c38dd6dc84c3df3c41c0b88c364
Instruction Fuzzy Hash: B341F171C0461CCBDB24DFA9C884B9DBBF5FF49308F6080A9D408AB255DB756985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04BD28F0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04BD29B1

Memory Dump Source

Source File: 00000008.00000002.299539887.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 30826cdf7f1e73e915ddbf54527cfac38b26e66daf28b3fb949ca6519871ddab
Instruction ID: ce668d2aa46f142211b0340e99ee9ff8abcf275eebcfb5eb8c2504f6d7052912
Opcode Fuzzy Hash: 30826cdf7f1e73e915ddbf54527cfac38b26e66daf28b3fb949ca6519871ddab
Instruction Fuzzy Hash: 344149B5A003459FDB14CF99D488BAAFBF5FF98314F248499E419A7325D334A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9D78, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BABD3E,?,?,?,?,?), ref: 00BABDFF

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e50b977ea18552bdaae40e13097576ff8956a495dc774f88a058c7ef8807079
Instruction ID: 41cbdbf46f5486322ad9780ee04000c294dfbe42c36a6a3a8cd9d9d7b34d0b72
Opcode Fuzzy Hash: 2e50b977ea18552bdaae40e13097576ff8956a495dc774f88a058c7ef8807079
Instruction Fuzzy Hash: FA2116B5900208AFDB10CFAAD884ADEFBF8FB48324F14845AE954B3311D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BABD70, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BABD3E,?,?,?,?,?), ref: 00BABDFF

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 409cc95e45a661c6502cf68e0124345a3cd22c20193b287010de37a974485bbe
Instruction ID: cf15d54217d27c5b9dd4daa840709fb8476623ed225bd3a559db51240c7c9a08
Opcode Fuzzy Hash: 409cc95e45a661c6502cf68e0124345a3cd22c20193b287010de37a974485bbe
Instruction Fuzzy Hash: B12114B5900208AFDB10CFAAD884BDEFBF8FB48324F14845AE955A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9FC8, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BA9E29,00000800,00000000,00000000), ref: 00BAA03A

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72a5637bf1c2fff74dbe8f02e8f5ccf90b7037cb8e0656dc747b7d3c2ae15520
Instruction ID: c8d3f7cb7e2136e1706948d71d04146ddcb05a48ba8ce739d83a6fa4fca241b1
Opcode Fuzzy Hash: 72a5637bf1c2fff74dbe8f02e8f5ccf90b7037cb8e0656dc747b7d3c2ae15520
Instruction Fuzzy Hash: 1F1136B6C002099FDB20DF9AD444BDEFBF8EB48360F11846AE555B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA99EC, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BA9E29,00000800,00000000,00000000), ref: 00BAA03A

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1c17774a0cc0e071a6790e5646fd4da92667a463b61943fccd160a06652e2eb5
Instruction ID: 8445a9cbf09e88c22daece6ec1e7a38a105a750798cb5165395f2fb653d04e98
Opcode Fuzzy Hash: 1c17774a0cc0e071a6790e5646fd4da92667a463b61943fccd160a06652e2eb5
Instruction Fuzzy Hash: 0B1133B28042099FDB20CF9AD844BDEFBF4EB48324F14806AE515B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9948, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BA99AE

Memory Dump Source

Source File: 00000008.00000002.292115929.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d3a730b413f38b8af368ce9462269a1d1743891387e6fc4e03f93103fea2782c
Instruction ID: 723aa0457a0980deabdb93033cd39ebea888c0933cc55d76076f6e573adc515b
Opcode Fuzzy Hash: d3a730b413f38b8af368ce9462269a1d1743891387e6fc4e03f93103fea2782c
Instruction Fuzzy Hash: 1B1102B6C002099FCB20CF9AD844BDEFBF4EB88324F14845AD469A7200C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.291987301.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac550e4a05d16fc6afe3013c3ad202b4abf3ad3ea59466ada9b423232be7b79
Instruction ID: 3b757ca5ba57e59f9dc9ac8aec219d3ee544c4eafcd46fa52159ede2f513e48f
Opcode Fuzzy Hash: dac550e4a05d16fc6afe3013c3ad202b4abf3ad3ea59466ada9b423232be7b79
Instruction Fuzzy Hash: FE21F571504240EFDB11DF54D9C0B66BBE5FB84314F74CAEDE8094B246C336D886CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.291987301.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde37bbe36941296e74be6989fa79743abe3ddf25f6518a4fab925e6e52762f3
Instruction ID: 2ba9efb707d59d4a149b701418248ae8fc888792bd0fe652afb08f05ede2db66
Opcode Fuzzy Hash: bde37bbe36941296e74be6989fa79743abe3ddf25f6518a4fab925e6e52762f3
Instruction Fuzzy Hash: B721D075504240DFCB14DF54D8D8B66BBA5FB88314F64C9A9E80A4B246C33AD886CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.291987301.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9fe068c99dd18242de47aeef93577b4802a92f4eed98b806d5aa989921c17a
Instruction ID: 7ae0fa2b101d0665d8fb2d86b69e228e54022fbb5f85e62b70b9ffec9d509d6f
Opcode Fuzzy Hash: 7b9fe068c99dd18242de47aeef93577b4802a92f4eed98b806d5aa989921c17a
Instruction Fuzzy Hash: 552184755087809FCB02CF14D994B51BFB1EB4A314F28C5EAD8498F257C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.291987301.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: 82a2ed0ed3eaa7ba3b8b48c6fdbf89a7948112bdff9de15c11f1bf36db4ce6a3
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: 77119D75904280DFCB11CF14D5C4B55FBB1FB84324F28C6ADD8494B656C33AD88ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe PID: 1740 Parent PID: 3388 U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCOMMON

Executed Functions

Function 075F9C07, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075FC03D

Strings

@\D), xrefs: 075FBFFA
Oxf^, xrefs: 075F9C11

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MessagePost
String ID: @\D)$Oxf^
API String ID: 410705778-3092626465
Opcode ID: cc287b6290238e3e81836a770dabd48e7672b5cecf00d26d1ca67b3826d3ce76
Instruction ID: bab4aa296d25218e3d41d06aa222062122618ceab634a34eb1c2d26868646bb3
Opcode Fuzzy Hash: cc287b6290238e3e81836a770dabd48e7672b5cecf00d26d1ca67b3826d3ce76
Instruction Fuzzy Hash: 083108B28083848FC751DB68D8A67CA7FF4EF16314F058497D584DB652D734A845CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 015F9768, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015F99AE

Strings

@\D), xrefs: 015F9967

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: HandleModule
String ID: @\D)
API String ID: 4139908857-156320408
Opcode ID: bba7da6f7c6f45c758cc92d048edf991d7485ba36cc34c907844f96e70d2f46b
Instruction ID: 55c0a599f61dac8e2b722021f17f66d94d7011a1e73f524d776e03f3d09f7270
Opcode Fuzzy Hash: bba7da6f7c6f45c758cc92d048edf991d7485ba36cc34c907844f96e70d2f46b
Instruction Fuzzy Hash: 94712770A00B068FD764DF29D04075ABBF1FF88218F00892DE646DBA50DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 075FB556, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 075FB6B3

Strings

@\D), xrefs: 075FB5A1

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: @\D)
API String ID: 963392458-156320408
Opcode ID: 98907a9f11e6283a0d4bfa3b35d1f35a846b4417e0d534317bb59bd348b5b0fa
Instruction ID: f85877a8dd61ec69084f6ce91afeed4912d5b88baaae476b1f6265020de05d95
Opcode Fuzzy Hash: 98907a9f11e6283a0d4bfa3b35d1f35a846b4417e0d534317bb59bd348b5b0fa
Instruction Fuzzy Hash: 255118B1D01319DFDB20DF99C880BDDBBB1BF48314F15809AE908A7210DB345A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 075FB560, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 075FB6B3

Strings

@\D), xrefs: 075FB5A1

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: @\D)
API String ID: 963392458-156320408
Opcode ID: 585807093327e0bf32901d2077e1c793ab20ae0aa3e7b6149526ff658d7398fe
Instruction ID: fd9db88a76a7f1d85b2f381abae9b427b9ab17b14fb4cfc9896d976eec67f7bd
Opcode Fuzzy Hash: 585807093327e0bf32901d2077e1c793ab20ae0aa3e7b6149526ff658d7398fe
Instruction Fuzzy Hash: 085106B1D01319DFDB21DF99C880BDDBBB5BF88314F15809AE908A7250DB359A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 015F5364, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015F5421

Strings

@\D), xrefs: 015F53A4

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: Create
String ID: @\D)
API String ID: 2289755597-156320408
Opcode ID: f67d1b09f97767147da9190d18ddd0085ab73ed2b82f20808654d7df2c1034ae
Instruction ID: 5c238fefcb4e27e0dee9c1a3f2c15fe36ed29331e1901d7cf645d073af391642
Opcode Fuzzy Hash: f67d1b09f97767147da9190d18ddd0085ab73ed2b82f20808654d7df2c1034ae
Instruction Fuzzy Hash: 0F4102B1D10619CFDB24DFA9C884BDDBBB1FF49309F20806AD508AB251DB755946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015F3DE8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015F5421

Strings

@\D), xrefs: 015F53A4

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: Create
String ID: @\D)
API String ID: 2289755597-156320408
Opcode ID: 12789e296a378ff32c177ece4f80f97da66f7f9c1bd47cfc16a545c5e636ff6e
Instruction ID: 151cfd58a707ccc0d1ea4f7e49a2ca0d47aeee6e24c3825f260ff19d40dace37
Opcode Fuzzy Hash: 12789e296a378ff32c177ece4f80f97da66f7f9c1bd47cfc16a545c5e636ff6e
Instruction Fuzzy Hash: 0741F370D1461CDBDB24DFA9C884B8EBBB5FF48305F608069D508AB251DB755945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075FBB01, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075FBB95

Strings

@\D), xrefs: 075FBB2A

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: @\D)
API String ID: 3559483778-156320408
Opcode ID: d9da6056d3213f8dfc2579d7da1044aabadf3ec7a64bda6c9fcd01a1bb9697bd
Instruction ID: 2cd72f46879882de4001eefdacf6d09fa66ba1a16084f9e16387bb6ca553ed35
Opcode Fuzzy Hash: d9da6056d3213f8dfc2579d7da1044aabadf3ec7a64bda6c9fcd01a1bb9697bd
Instruction Fuzzy Hash: BA2114B5900219DFCB10CFAAD985BDEBBF4FF48324F10842AE958A7340D774A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015F9D04, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015FBD3E,?,?,?,?,?), ref: 015FBDFF

Strings

@\D), xrefs: 015FBD97

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: @\D)
API String ID: 3793708945-156320408
Opcode ID: ef849295eb6ac062bd635eacb27cf737198c41eaff272a6c11a57591349638ae
Instruction ID: 21a06a9c37f394012856175345ee20940e0358a5f29946f2dd9405b7772db7bd
Opcode Fuzzy Hash: ef849295eb6ac062bd635eacb27cf737198c41eaff272a6c11a57591349638ae
Instruction Fuzzy Hash: 522115B5800208DFDB10CFA9D884AEEBFF4FB48324F14841AEA15A7351D374A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FBB08, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075FBB95

Strings

@\D), xrefs: 075FBB2A

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: @\D)
API String ID: 3559483778-156320408
Opcode ID: efccb4a67b98227df5182d59b36daf7f41f42c672a0b64caf9d792eec11efc3e
Instruction ID: 3db4f4d6180df7b2e32a72c9f04767692d40dc2bf25cc339ffd6b18b6acdbabc
Opcode Fuzzy Hash: efccb4a67b98227df5182d59b36daf7f41f42c672a0b64caf9d792eec11efc3e
Instruction Fuzzy Hash: 6A21E4B1900259DFCB10CFAAD885BDEBBF4FB48314F10842AE919A7250D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 015F9D78, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015FBD3E,?,?,?,?,?), ref: 015FBDFF

Strings

@\D), xrefs: 015FBD97

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: @\D)
API String ID: 3793708945-156320408
Opcode ID: bd92c0ccd420aa91dd30c99e9c28e22ddf1e245412cf560376ac6201ea496a8a
Instruction ID: 08274f7f132cd3f81f111385c90402e3a236678e74f7ab74f491b11631f3869b
Opcode Fuzzy Hash: bd92c0ccd420aa91dd30c99e9c28e22ddf1e245412cf560376ac6201ea496a8a
Instruction Fuzzy Hash: 5721E5B5900209EFDB10CFA9D884ADEFBF4FB48324F14841AEA15A7311D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015FBD70, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015FBD3E,?,?,?,?,?), ref: 015FBDFF

Strings

@\D), xrefs: 015FBD97

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: @\D)
API String ID: 3793708945-156320408
Opcode ID: c5b51bb92c900fce980d7b3babeaa4f1db8f00b2e468157fb1eec289529ddf9c
Instruction ID: dd2e6c0e09076ea17af45ce91a589da68fdea8ab2f29b60e2a6aea3f93de7728
Opcode Fuzzy Hash: c5b51bb92c900fce980d7b3babeaa4f1db8f00b2e468157fb1eec289529ddf9c
Instruction Fuzzy Hash: 0821E3B5D00208AFDB10CFA9D884ADEFBF8FB48324F14841AE954A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FB989, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075FBA0F

Strings

@\D), xrefs: 075FB9B2

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: @\D)
API String ID: 1726664587-156320408
Opcode ID: 38f11146c9b7785f0dd17d46c31a694c7ea9756bb8a8f07a8a7bda5a4b593211
Instruction ID: af3c328003f8f274bbb2bc8a3c6a782b1cac4800f03e20b536c30ad554dbf207
Opcode Fuzzy Hash: 38f11146c9b7785f0dd17d46c31a694c7ea9756bb8a8f07a8a7bda5a4b593211
Instruction Fuzzy Hash: 6721F0B6D01209DFCB10CFAAD985BDEBBF4FB48320F10842AE958A7200D334A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FB8C9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 075FB947

Strings

@\D), xrefs: 075FB8EF

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: ContextThread
String ID: @\D)
API String ID: 1591575202-156320408
Opcode ID: ba286aa83915fbc3eecbcf2f9a3fc2a4eab674de37fd54cd567e62513a886059
Instruction ID: 676775d73e309158feda03b2b8af00a4f6ca65e242b2896a24ea52c81087f2d2
Opcode Fuzzy Hash: ba286aa83915fbc3eecbcf2f9a3fc2a4eab674de37fd54cd567e62513a886059
Instruction Fuzzy Hash: D12138B1D0061A9FCB10CFAAD9857EEFBF4BF08224F14812AD518B3740D774A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FB990, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075FBA0F

Strings

@\D), xrefs: 075FB9B2

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: @\D)
API String ID: 1726664587-156320408
Opcode ID: 4ec6be50e27649b49936740960861b13caebba8a30ef375de8d99a164c22a1b7
Instruction ID: 5048bfeb003a45b78dc5aada76c8800422fd9b90c1214bfcb35ce504b404e238
Opcode Fuzzy Hash: 4ec6be50e27649b49936740960861b13caebba8a30ef375de8d99a164c22a1b7
Instruction Fuzzy Hash: 6421E2B1901259DFCB10CFAAD884BDEFBF4FB48320F50842AE958A7250D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 075FB8D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 075FB947

Strings

@\D), xrefs: 075FB8EF

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: ContextThread
String ID: @\D)
API String ID: 1591575202-156320408
Opcode ID: 98bb0b95749ea8000cba1d219f0ba6995bfbd6beb9b6ee60bd52feb4c9470f22
Instruction ID: fb50c21165fa645f57da27e5ee704a449c5841ddb615be8fc2aedb8dbcd59154
Opcode Fuzzy Hash: 98bb0b95749ea8000cba1d219f0ba6995bfbd6beb9b6ee60bd52feb4c9470f22
Instruction Fuzzy Hash: 3A2108B1D0061A9FCB10CFAAD985BDEFBF4BB49224F54812AD518B3340D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015F9FC8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015F9E29,00000800,00000000,00000000), ref: 015FA03A

Strings

@\D), xrefs: 015F9FEF

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: @\D)
API String ID: 1029625771-156320408
Opcode ID: 4d17664f5caab11610820650e1b494b06377bd27f91087258bda6929572a90ed
Instruction ID: f46e2d86868bb31bc38ee421427762fdc9f990557e528f733f24fbefd72fd75f
Opcode Fuzzy Hash: 4d17664f5caab11610820650e1b494b06377bd27f91087258bda6929572a90ed
Instruction Fuzzy Hash: BB2124B2C002099FDB10CF9AD444BDEFBF8AB88360F10842EE529AB200D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015F99EC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015F9E29,00000800,00000000,00000000), ref: 015FA03A

Strings

@\D), xrefs: 015F9FEF

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: @\D)
API String ID: 1029625771-156320408
Opcode ID: f27110169867effe4204fa2fee25102de0c165b65f95ddd5ff6a78359d9ce30d
Instruction ID: 535b387b005bfee18368efea5efb3c0641756de147e9aa87ce31590b6c81014f
Opcode Fuzzy Hash: f27110169867effe4204fa2fee25102de0c165b65f95ddd5ff6a78359d9ce30d
Instruction Fuzzy Hash: 511106B2D002099FDB10CF9AD444BDEFBF8BB48324F14842EE519AB200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 075FBA58, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075FBACB

Strings

@\D), xrefs: 075FBA7A

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: @\D)
API String ID: 4275171209-156320408
Opcode ID: cc831bad5dd7b5840676ae73e72016e30e532bfd7384630c96847e9068086bfb
Instruction ID: 87adba095aa388f2af76719c0ba70c833d6d18ccd4df099fcdb0eec902be09ed
Opcode Fuzzy Hash: cc831bad5dd7b5840676ae73e72016e30e532bfd7384630c96847e9068086bfb
Instruction Fuzzy Hash: E31116B5900649DFCB20DF9AD884BDEBBF4FF48324F14841AE969A7210C735A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FBA60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075FBACB

Strings

@\D), xrefs: 075FBA7A

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: @\D)
API String ID: 4275171209-156320408
Opcode ID: 186f3d8abe1c1a1db65bf626d384f975eb556d1eebe788fe12ebfdda945c8206
Instruction ID: ca9b84de22ada240de9a0f90aaf0239a03bd7414f641f9e24c342db1ac6ef71e
Opcode Fuzzy Hash: 186f3d8abe1c1a1db65bf626d384f975eb556d1eebe788fe12ebfdda945c8206
Instruction Fuzzy Hash: F711E0B5900249DFCB20DF9AD884BDEBBF8FB48324F14841AE569A7210C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075F9C78, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075FC03D

Strings

@\D), xrefs: 075FBFFA

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MessagePost
String ID: @\D)
API String ID: 410705778-156320408
Opcode ID: c98c20d7d3e95746f65e42b9f3619aff65b937fc6333bc1b986335776ffbbe52
Instruction ID: e70fdaf688f567d2257acf5e0ba958fca0e9e2b5e8ea0f0c231f65e6b0a43ab8
Opcode Fuzzy Hash: c98c20d7d3e95746f65e42b9f3619aff65b937fc6333bc1b986335776ffbbe52
Instruction Fuzzy Hash: 9911F2B58002099FDB20DF99D885BDEBBF8FB48324F10845AE515A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FBCB8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075FBD1F

Strings

@\D), xrefs: 075FBCDA

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID: @\D)
API String ID: 947044025-156320408
Opcode ID: 68010443c19dc9de91d1ac1a9caf2e8c24d6537ee8454520eb9dacb13c88755a
Instruction ID: 6f2f5eef88fca55ab75dee077a84c4e5e6c223542e7e69c822b0b27dee607db5
Opcode Fuzzy Hash: 68010443c19dc9de91d1ac1a9caf2e8c24d6537ee8454520eb9dacb13c88755a
Instruction Fuzzy Hash: 1A1103B58002098FCB10DFA9D985BDEBBF4EB58224F24855AD529B7600C774A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015F9948, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015F99AE

Strings

@\D), xrefs: 015F9967

Memory Dump Source

Source File: 0000000B.00000002.306934950.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: HandleModule
String ID: @\D)
API String ID: 4139908857-156320408
Opcode ID: 2602f253d916ce868c844ed2b55806e5ea7a1ac76c364bc2b414b09982c1c5dd
Instruction ID: 598a6bce933417140a97907c389acf90d6a24945502fca1333e407a9a5f0eb94
Opcode Fuzzy Hash: 2602f253d916ce868c844ed2b55806e5ea7a1ac76c364bc2b414b09982c1c5dd
Instruction Fuzzy Hash: 6A1113B1C0060A8FDB20CF9AD844BDEFBF4AF88228F15841AD519A7200C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FBFDA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075FC03D

Strings

@\D), xrefs: 075FBFFA

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: MessagePost
String ID: @\D)
API String ID: 410705778-156320408
Opcode ID: 18e3460b29cf43a5d189efb14698870db166226fb19e718eca7a4a86ecd210e0
Instruction ID: 2f6f968b8dc4f0052d29b2102a8cf7c158e4d0df556d4ee8a7b3396f0f2aa096
Opcode Fuzzy Hash: 18e3460b29cf43a5d189efb14698870db166226fb19e718eca7a4a86ecd210e0
Instruction Fuzzy Hash: 991103B5800209DFDB20DF99D985BDEBBF8FB48324F14845AE515A7200C375A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075FBCC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075FBD1F

Strings

@\D), xrefs: 075FBCDA

Memory Dump Source

Source File: 0000000B.00000002.314754124.00000000075F0000.00000040.00000001.sdmp, Offset: 075F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID: @\D)
API String ID: 947044025-156320408
Opcode ID: cbd10c143a58faef81211f246b18a5623043038861285004c0daf21609401f40
Instruction ID: 40bd26c6338892d844dc31fbc414aee546d193f762e19fcc9ee2b215a37c7e26
Opcode Fuzzy Hash: cbd10c143a58faef81211f246b18a5623043038861285004c0daf21609401f40
Instruction Fuzzy Hash: 8511E2B18002498FCB20DF9AD885BDEFBF8EB48324F24845AD519A7240C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0158D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306547639.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c5f5470f0ace9019226b9a6622e8481204b269624dd5f6da5ab525810ea06d
Instruction ID: aba90217450bae30f53ea99a0168389227363c1044f1cc953864e335fea019cd
Opcode Fuzzy Hash: 37c5f5470f0ace9019226b9a6622e8481204b269624dd5f6da5ab525810ea06d
Instruction Fuzzy Hash: AF2136B1504200DFDB01EF88D8C0B5ABBF5FB84324F248568E9095F296C376E846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0159D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306629619.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87664cb7958a794359cfb7885303a1f30713a48911735da03a0416959293419
Instruction ID: 1f5fa1796b63adc59f25f052e656b72adb90ce12ee870aca664d89474c858f03
Opcode Fuzzy Hash: c87664cb7958a794359cfb7885303a1f30713a48911735da03a0416959293419
Instruction Fuzzy Hash: 62210075504200DFDF15DFA4D8C0B2ABBB5FB84354F24C9A9E80A4F246D33BD806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0159D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306629619.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823fc9b6b7a69354e53db71903f67ebbf1479f3dfa2ed0b71e2c91b04f3a4a87
Instruction ID: 84db378c3236fdb220a601544260648aa1a595429dcc7b6b4e090826d77307c8
Opcode Fuzzy Hash: 823fc9b6b7a69354e53db71903f67ebbf1479f3dfa2ed0b71e2c91b04f3a4a87
Instruction Fuzzy Hash: A821C5B5504240DFDF15DF94D9C0B2ABBB5FB84324F24C9ADE9094F246C73AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0159D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306629619.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975a2feea4f4256e5d28ff251d6505ac083df2d0e26eb2ab7d5e4544c4ca931b
Instruction ID: 26eb51f3bd17dbd5a166b18cab00bb2656f214acf75f9c7bcd27d7050b534993
Opcode Fuzzy Hash: 975a2feea4f4256e5d28ff251d6505ac083df2d0e26eb2ab7d5e4544c4ca931b
Instruction Fuzzy Hash: AC219F755093808FDB03CF64D990B15BF71FB46214F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0158D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306547639.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: f9562c729a8e7b8a685716e47883ead36e5a2ce9bd4b7f238f49594c0c233c56
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: AC11D272404240DFDB02DF48D5C0B5ABFB1FB84320F2482A9D8090B667C37AD45ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0159D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.306629619.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: 9de11c3379b5c0098af243143de5622add6e9d0c286958f819dd0daea78d7d43
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: 6F118B75904280DFDF12CF54D5C4B19FBB1FB84224F28C6A9D8494B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report mYh6vuKw7H.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: XpertRAT

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 004010B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON