Loading ...

Play interactive tourEdit tour

Analysis Report mYh6vuKw7H.exe

Overview

General Information

Sample Name:mYh6vuKw7H.exe
Analysis ID:397625
MD5:95a3b26416f41375ef06106fb58a3764
SHA1:952f57980d5105d94bc2e0ae389f0cc7e44ae27d
SHA256:f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
Tags:exeRATXpertRAT
Infos:

Most interesting Screenshot:

Detection

XpertRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected XpertRAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables user account control notifications
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Potential browser exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • mYh6vuKw7H.exe (PID: 5728 cmdline: 'C:\Users\user\Desktop\mYh6vuKw7H.exe' MD5: 95A3B26416F41375EF06106FB58A3764)
    • mYh6vuKw7H.exe (PID: 4792 cmdline: {path} MD5: 95A3B26416F41375EF06106FB58A3764)
      • iexplore.exe (PID: 4856 cmdline: C:\Users\user\Desktop\mYh6vuKw7H.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • WerFault.exe (PID: 2024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • iexplore.exe (PID: 1200 cmdline: C:\Users\user\Desktop\mYh6vuKw7H.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: XpertRAT

{"C2 list": ["kapasky-antivirus.firewall-gateway.net:2054", "kapasky-antivirus.firewall-gateway.net:4000"], "Mutex": "U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7", "Group": "XXX", "Name": "WWW", "Version": "3.0.10", "Password": "root"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0xad60:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmpJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
    00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmpJoeSecurity_XpertRATYara detected XpertRATJoe Security
      00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmpJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
        00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmpJoeSecurity_XpertRATYara detected XpertRATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.iexplore.exe.400000.0.raw.unpackJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
            5.2.iexplore.exe.400000.0.raw.unpackJoeSecurity_XpertRATYara detected XpertRATJoe Security
              1.3.mYh6vuKw7H.exe.3c642d0.0.unpackJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
                1.3.mYh6vuKw7H.exe.3c642d0.0.unpackJoeSecurity_XpertRATYara detected XpertRATJoe Security
                  1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpackJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 1.3.mYh6vuKw7H.exe.3c642d0.0.raw.unpackMalware Configuration Extractor: XpertRAT {"C2 list": ["kapasky-antivirus.firewall-gateway.net:2054", "kapasky-antivirus.firewall-gateway.net:4000"], "Mutex": "U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7", "Group": "XXX", "Name": "WWW", "Version": "3.0.10", "Password": "root"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeReversingLabs: Detection: 40%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: mYh6vuKw7H.exeVirustotal: Detection: 35%Perma Link
                    Source: mYh6vuKw7H.exeReversingLabs: Detection: 40%
                    Source: 20.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.385e1e0.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 8.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.38ce1e0.4.unpackAvira: Label: TR/Dropper.Gen
                    Source: 1.2.mYh6vuKw7H.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 21.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 11.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.45de1e0.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 14.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 1.3.mYh6vuKw7H.exe.3c642d0.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.mYh6vuKw7H.exe.3d9e1e0.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 19.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 5.2.iexplore.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                    Compliance:

                    barindex
                    Detected unpacking (creates a PE file in dynamic memory)Show sources
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeUnpacked PE file: 1.2.mYh6vuKw7H.exe.400000.0.unpack
                    Source: mYh6vuKw7H.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: mYh6vuKw7H.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe

                    Networking:

                    barindex
                    C2 URLs / IPs found in malware configurationShow sources
                    Source: Malware configuration extractorURLs: kapasky-antivirus.firewall-gateway.net:2054
                    Source: Malware configuration extractorURLs: kapasky-antivirus.firewall-gateway.net:4000
                    Source: global trafficTCP traffic: 192.168.2.3:49686 -> 31.210.21.252:2054
                    Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
                    Source: unknownDNS traffic detected: queries for: kapasky-antivirus.firewall-gateway.net
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209735253.000000000596F000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com81i
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC%
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210446943.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCs
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ=
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comL
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209920096.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comT=
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comar
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comb=
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcd
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209867590.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comda10
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comht
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209851207.0000000005972000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comslnt
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209832702.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtan
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210260234.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw1
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210382783.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comx=
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: mYh6vuKw7H.exe, 00000000.00000003.212529608.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/=
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: mYh6vuKw7H.exe, 00000000.00000003.212497473.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: mYh6vuKw7H.exe, 00000000.00000003.213169927.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers99a
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiasD
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234390584.0000000005944000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$D
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%Dc
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/BE
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/TD0
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-u
                    Source: mYh6vuKw7H.exe, 00000000.00000003.210863832.000000000594B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/BE
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: mYh6vuKw7H.exe, 00000000.00000003.211120777.000000000594C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/mD
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: mYh6vuKw7H.exe, 00000000.00000002.234642351.0000000005B30000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000008.00000002.300552040.0000000005690000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 0000000B.00000002.313350088.00000000062F0000.00000002.00000001.sdmp, U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, 00000014.00000002.332391096.0000000005590000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: mYh6vuKw7H.exe, 00000000.00000003.209785323.0000000005970000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnht
                    Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 0_2_006D640E0_2_006D640E
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 0_2_006D66410_2_006D6641
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133DAE21_3_0133DAE2
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_013424581_3_01342458
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00B8640E1_2_00B8640E
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00B866411_2_00B86641
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_0029640E8_2_0029640E
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_00BAC5E48_2_00BAC5E4
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_00BAEA308_2_00BAEA30
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_00BAEA208_2_00BAEA20
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_002966418_2_00296641
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_00DD640E11_2_00DD640E
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_015FC5E411_2_015FC5E4
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_015FEA3011_2_015FEA30
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_015FEA2011_2_015FEA20
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F546811_2_075F5468
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F127811_2_075F1278
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F490011_2_075F4900
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F992011_2_075F9920
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F21A811_2_075F21A8
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F004011_2_075F0040
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F686011_2_075F6860
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075FA00811_2_075FA008
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F089811_2_075F0898
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F5F4911_2_075F5F49
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F470011_2_075F4700
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F9FF011_2_075F9FF0
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F5F9011_2_075F5F90
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F963811_2_075F9638
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F962811_2_075F9628
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F46F011_2_075F46F0
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F0D1011_2_075F0D10
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F0D0011_2_075F0D00
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F6D9011_2_075F6D90
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F447811_2_075F4478
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F448811_2_075F4488
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F536011_2_075F5360
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F3BC811_2_075F3BC8
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F53C111_2_075F53C1
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F3BB811_2_075F3BB8
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F425011_2_075F4250
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F424011_2_075F4240
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F126811_2_075F1268
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F729811_2_075F7298
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F728811_2_075F7288
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F991011_2_075F9910
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F590A11_2_075F590A
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F218111_2_075F2181
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F685011_2_075F6850
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F306811_2_075F3068
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F306611_2_075F3066
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F001E11_2_075F001E
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F48F211_2_075F48F2
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F088911_2_075F0889
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_00DD664111_2_00DD6641
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76
                    Source: mYh6vuKw7H.exeBinary or memory string: OriginalFilename vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmpBinary or memory string: OriginalFilename2.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
                    Source: mYh6vuKw7H.exe, 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000000.00000002.238175883.0000000007530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000000.00000002.229900126.0000000002B39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exeBinary or memory string: OriginalFilename vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000001.00000003.237404708.0000000003C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADrvv@ vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000001.00000003.238059404.0000000003C65000.00000004.00000001.sdmpBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADX0ve@ vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000001.00000003.251595646.00000000013ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADrvv=4 vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exe, 00000001.00000002.251887637.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilename2.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
                    Source: mYh6vuKw7H.exe, 00000001.00000002.252383680.0000000002CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exeBinary or memory string: OriginalFilename1FHG vs mYh6vuKw7H.exe
                    Source: mYh6vuKw7H.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 00000001.00000003.251360741.00000000013AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000014.00000002.328609603.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.232826022.0000000003D25000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0000000B.00000002.309855578.0000000004565000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/7@1/1
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mYh6vuKw7H.exe.logJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDA60EFE2D9C19F68.TMPJump to behavior
                    Source: mYh6vuKw7H.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: mYh6vuKw7H.exeVirustotal: Detection: 35%
                    Source: mYh6vuKw7H.exeReversingLabs: Detection: 40%
                    Source: unknownProcess created: C:\Users\user\Desktop\mYh6vuKw7H.exe 'C:\Users\user\Desktop\mYh6vuKw7H.exe'
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Users\user\Desktop\mYh6vuKw7H.exe {path}
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 76
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 'C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe'
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Users\user\Desktop\mYh6vuKw7H.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exeJump to behavior
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\mYh6vuKw7H.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeProcess created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe {path}Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: mYh6vuKw7H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: mYh6vuKw7H.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: mYh6vuKw7H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                    Data Obfuscation:

                    barindex
                    Detected unpacking (creates a PE file in dynamic memory)Show sources
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeUnpacked PE file: 1.2.mYh6vuKw7H.exe.400000.0.unpack
                    .NET source code contains potential unpackerShow sources
                    Source: mYh6vuKw7H.exe, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.mYh6vuKw7H.exe.6d0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.mYh6vuKw7H.exe.6d0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.0.mYh6vuKw7H.exe.b80000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.mYh6vuKw7H.exe.b80000.1.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.5.dr, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.290000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.290000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 11.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.dd0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 11.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.dd0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 12.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.3d0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 12.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.3d0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.bb0000.0.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.2.U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe.bb0000.1.unpack, SortingVisualizer/frmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: mYh6vuKw7H.exeStatic PE information: 0xDB5235E3 [Wed Aug 7 22:34:11 2086 UTC]
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 0_2_006DB76B push es; retf 0_2_006DB76C
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133C9A2 pushad ; iretd 1_3_0133CEA9
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133C9A2 pushad ; iretd 1_3_0133CEA9
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133C9A2 pushad ; iretd 1_3_0133CEA9
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_3_0133C9A2 pushad ; iretd 1_3_0133CEA9
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00402550 push 004010A4h; ret 1_2_00402563
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00402564 push 004010A4h; ret 1_2_00402577
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_0040250F push 004010A4h; ret 1_2_0040254F
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00402A38 push 004010A4h; ret 1_2_00402D77
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00402D9A push ebp; retf 1_2_00402D9B
                    Source: C:\Users\user\Desktop\mYh6vuKw7H.exeCode function: 1_2_00B8B76B push es; retf 1_2_00B8B76C
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_0029B76B push es; retf 8_2_0029B76C
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 8_2_00BADFE0 push 2C04B4CBh; retf 8_2_00BADFE5
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_00DDB76B push es; retf 11_2_00DDB76C
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_015FDFE0 push 2C0321CBh; retf 11_2_015FDFE5
                    Source: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeCode function: 11_2_075F621E push ds; iretd 11_2_075F621F
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Creates an undocumented autostart registry key Show sources
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7Jump to behavior
                    Creates autostart registry keys with suspicious namesShow sources
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7Jump to behavior
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7Jump to behavior
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7Jump to behavior