Loading ...

Play interactive tourEdit tour

Windows Analysis Report SgjcpodWpB.exe

Overview

General Information

Sample Name:SgjcpodWpB.exe
Analysis ID:452445
MD5:a4f4b5daa83bb6dc85ede588ffbfdb34
SHA1:9bbaac140fa643d30bf25af71561f5ee35874898
SHA256:f61201b7b85a410a62c1f1946095b3feabb6e672fb8ddc0c64789a02ae9a06f4
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SgjcpodWpB.exe (PID: 6044 cmdline: 'C:\Users\user\Desktop\SgjcpodWpB.exe' MD5: A4F4B5DAA83BB6DC85EDE588FFBFDB34)
    • 3672547.exe (PID: 3164 cmdline: 'C:\Users\user\AppData\Roaming\3672547.exe' MD5: A37B1548C0985AE8A2763CF6D1B39C80)
      • WerFault.exe (PID: 4436 cmdline: C:\Windows\system32\WerFault.exe -u -p 3164 -s 2172 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • 3228047.exe (PID: 3252 cmdline: 'C:\Users\user\AppData\Roaming\3228047.exe' MD5: 52BE91BB8576B57551F38CF98BD984CC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.294532609.0000000006DE0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      Process Memory Space: 3228047.exe PID: 3252JoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: 3228047.exe PID: 3252JoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
          Process Memory Space: 3228047.exe PID: 3252JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.3228047.exe.6de0000.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for domain / URLShow sources
              Source: music-s.xyzVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\3228047.exeReversingLabs: Detection: 50%
              Source: C:\Users\user\AppData\Roaming\3672547.exeReversingLabs: Detection: 53%
              Multi AV Scanner detection for submitted fileShow sources
              Source: SgjcpodWpB.exeVirustotal: Detection: 64%Perma Link
              Source: SgjcpodWpB.exeMetadefender: Detection: 31%Perma Link
              Source: SgjcpodWpB.exeReversingLabs: Detection: 57%
              Machine Learning detection for sampleShow sources
              Source: SgjcpodWpB.exeJoe Sandbox ML: detected
              Source: SgjcpodWpB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: unknownHTTPS traffic detected: 104.21.7.102:443 -> 192.168.2.3:49720 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49723 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.202.174:443 -> 192.168.2.3:49732 version: TLS 1.0
              Source: SgjcpodWpB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: System.Core.ni.pdbRSDSD source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Xml.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: 0C:\Windows\mscorlib.pdbG>Up source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb0 source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdbRSDSJ source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Security.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Xml.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Web.Extensions.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: mscorlib.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: C:\Users\user\AppData\Roaming\3672547.PDBh source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Core.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: lib.pdb.0 source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS] source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: C:\Users\user\AppData\Roaming\3672547.PDB source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdbP% source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Web.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: 3672547.PDB( source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeDNS query: name: iplogger.org
              Performs DNS queries to domains with low reputationShow sources
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeDNS query: music-s.xyz
              Source: C:\Users\user\AppData\Roaming\3228047.exeDNS query: kalamaivig.xyz
              Source: C:\Users\user\AppData\Roaming\3672547.exeDNS query: getdesignusa.xyz
              Source: C:\Users\user\AppData\Roaming\3228047.exeDNS query: kalamaivig.xyz
              Source: C:\Users\user\AppData\Roaming\3228047.exeDNS query: kalamaivig.xyz
              Source: C:\Users\user\AppData\Roaming\3672547.exeDNS query: getdesignusa.xyz
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: kalamaivig.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: kalamaivig.xyzContent-Length: 11876Expect: 100-continueAccept-Encoding: gzip, deflate
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: kalamaivig.xyzContent-Length: 11868Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 212.224.105.79 212.224.105.79
              Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
              Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
              Source: Joe Sandbox ViewASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownHTTPS traffic detected: 104.21.7.102:443 -> 192.168.2.3:49720 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49723 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.202.174:443 -> 192.168.2.3:49732 version: TLS 1.0
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpString found in binary or memory: 9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: music-s.xyz
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: kalamaivig.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SgjcpodWpB.exe, 00000000.00000002.233189357.000000001C288000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.290926156.000000000146D000.00000004.00000020.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
              Source: 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: SgjcpodWpB.exe, 00000000.00000002.233224835.000000001C2AC000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.cE
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.287454138.0000000002636000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
              Source: 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://getdesignusa.xyz
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: http://iplogger.org
              Source: 3228047.exe, 00000003.00000002.289669257.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://kalamaivig.xyz
              Source: 3228047.exe, 00000003.00000002.289669257.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://kalamaivig.xyz(h
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://kalamaivig.xyz/
              Source: 3228047.exe, 00000003.00000002.290641411.0000000002A35000.00000004.00000001.sdmpString found in binary or memory: http://kalamaivig.xyz4/l
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://kalamaivig.xyz:80/
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://music-s.xyz
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.290926156.000000000146D000.00000004.00000020.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: 3228047.exe, 00000003.00000002.289669257.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: 3228047.exe, 00000003.00000002.287374077.00000000025EF000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.290641411.0000000002A35000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: 3228047.exe, 00000003.00000002.287391758.00000000025F9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: SgjcpodWpB.exe, 00000000.00000002.217463413.0000000002D30000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291437263.0000000003181000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://service.r
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://support.a
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: 3228047.exe, 00000003.00000002.287374077.00000000025EF000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.290641411.0000000002A35000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
              Source: 3228047.exe, 00000003.00000002.290641411.0000000002A35000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatestr
              Source: 3228047.exe, 00000003.00000002.289669257.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
              Source: 3228047.exe, 00000003.00000002.287329164.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 3228047.exeString found in binary or memory: https://api.ip.sb/geoip
              Source: 3228047.exe, 00000003.00000002.294532609.0000000006DE0000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
              Source: 3228047.exe, 00000003.00000002.287391758.00000000025F9000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sbL
              Source: 3228047.exeString found in binary or memory: https://api.ipify.org
              Source: 3228047.exe, 00000003.00000002.294532609.0000000006DE0000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
              Source: 3672547.exe, 00000002.00000000.291547968.00000000031E9000.00000004.00000001.sdmpString found in binary or memory: https://getdesignusa.xyz
              Source: 3672547.exe, 00000002.00000000.291315193.00000000030F0000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291437263.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://getdesignusa.xyz/
              Source: 3672547.exe, 00000002.00000000.291497202.00000000031D5000.00000004.00000001.sdmpString found in binary or memory: https://getdesignusa.xyz/api.php
              Source: 3672547.exe, 00000002.00000000.291805782.0000000003261000.00000004.00000001.sdmpString found in binary or memory: https://getdesignusa.xyz8
              Source: 3672547.exe, 00000002.00000000.291547968.00000000031E9000.00000004.00000001.sdmpString found in binary or memory: https://getdesignusa.xyzx
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
              Source: 3228047.exe, 3228047.exe, 00000003.00000002.294532609.0000000006DE0000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
              Source: SgjcpodWpB.exe, 00000000.00000002.218599434.0000000002FB4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org
              Source: SgjcpodWpB.exe, 00000000.00000002.218687127.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1DSJe7
              Source: SgjcpodWpB.exe, 00000000.00000002.218687127.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1DSJe7(
              Source: SgjcpodWpB.exe, 00000000.00000002.218687127.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1DSJe70yAM
              Source: SgjcpodWpB.exe, 00000000.00000002.218599434.0000000002FB4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1XqVr7
              Source: SgjcpodWpB.exe, 00000000.00000002.218599434.0000000002FB4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1XqVr7(
              Source: SgjcpodWpB.exe, 00000000.00000002.218599434.0000000002FB4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1XqVr70yAM
              Source: SgjcpodWpB.exe, 00000000.00000002.218687127.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org8
              Source: SgjcpodWpB.exe, 00000000.00000002.218599434.0000000002FB4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.orgx
              Source: SgjcpodWpB.exe, 00000000.00000002.217463413.0000000002D30000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz
              Source: SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/
              Source: SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/(
              Source: SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/0yAM
              Source: SgjcpodWpB.exe, 00000000.00000002.217166784.0000000002CA2000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_1
              Source: SgjcpodWpB.exe, 00000000.00000002.217602011.0000000002D90000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_2
              Source: SgjcpodWpB.exe, 00000000.00000002.217869459.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_3
              Source: SgjcpodWpB.exe, 00000000.00000002.218012618.0000000002EB0000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_4
              Source: SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_5
              Source: SgjcpodWpB.exe, 00000000.00000002.218572595.0000000002F8E000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz/?user=p4_6
              Source: SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyz8
              Source: SgjcpodWpB.exe, 00000000.00000002.217487805.0000000002D3E000.00000004.00000001.sdmpString found in binary or memory: https://music-s.xyzx
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, SgjcpodWpB.exe, 00000000.00000002.218541443.0000000002F68000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291712707.0000000003222000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.291679738.000000000321A000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.287442165.0000000002632000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.287454138.0000000002636000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: 3228047.exe, 00000003.00000002.296011956.00000000080D3000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.ico_
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 3228047.exe, 00000003.00000002.296011956.00000000080D3000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&l
              Source: SgjcpodWpB.exe, 00000000.00000002.218629249.0000000002FC6000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: SgjcpodWpB.exe, 00000000.00000002.233224835.000000001C2AC000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/I
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
              Source: 3228047.exe, 00000003.00000002.288071875.00000000027D0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: 3672547.exe, 00000002.00000000.290926156.000000000146D000.00000004.00000020.sdmpString found in binary or memory: https://support.microso
              Source: 3672547.exe, 00000002.00000000.290926156.000000000146D000.00000004.00000020.sdmpString found in binary or memory: https://support.microsoom/k
              Source: SgjcpodWpB.exe, 00000000.00000002.217498812.0000000002D47000.00000004.00000001.sdmp, 3672547.exe, 00000002.00000000.290926156.000000000146D000.00000004.00000020.sdmp, 3228047.exe, 00000003.00000002.286520903.0000000000872000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: 3228047.exe, 00000003.00000002.296011956.00000000080D3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/goog
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmp, 3228047.exe, 00000003.00000002.288585756.000000000286A000.00000004.00000001.sdmp, tmp8CE1.tmp.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: 3228047.exe, 00000003.00000002.286351525.00000000007D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              PE file contains section with special charsShow sources
              Source: SgjcpodWpB.exeStatic PE information: section name: ^KkR{X
              Source: 3672547.exe.0.drStatic PE information: section name: 13qw:K:
              Source: 3228047.exe.0.drStatic PE information: section name: I r8V|
              PE file has nameless sectionsShow sources
              Source: SgjcpodWpB.exeStatic PE information: section name:
              Source: 3672547.exe.0.drStatic PE information: section name:
              Source: 3228047.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED790720_2_00007FFAEED79072
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED7AC1B0_2_00007FFAEED7AC1B
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED705240_2_00007FFAEED70524
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED711350_2_00007FFAEED71135
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED752D70_2_00007FFAEED752D7
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED7AC950_2_00007FFAEED7AC95
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED7118E0_2_00007FFAEED7118E
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED72A970_2_00007FFAEED72A97
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD28483_2_00BD2848
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD91783_2_00BD9178
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD32403_2_00BD3240
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD6CF83_2_00BD6CF8
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD3D503_2_00BD3D50
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD46203_2_00BD4620
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD308D3_2_00BD308D
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD301E3_2_00BD301E
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD31183_2_00BD3118
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD31583_2_00BD3158
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2BC03_2_00BD2BC0
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2B653_2_00BD2B65
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2C9D3_2_00BD2C9D
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2C583_2_00BD2C58
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2D923_2_00BD2D92
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD45413_2_00BD4541
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2E923_2_00BD2E92
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2EC93_2_00BD2EC9
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2E2E3_2_00BD2E2E
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2E1B3_2_00BD2E1B
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2E5C3_2_00BD2E5C
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2F893_2_00BD2F89
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2FC13_2_00BD2FC1
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2F273_2_00BD2F27
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD4F103_2_00BD4F10
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2F5C3_2_00BD2F5C
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A22183_2_023A2218
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A2A783_2_023A2A78
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A02483_2_023A0248
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A0CA83_2_023A0CA8
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A11603_2_023A1160
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A1D503_2_023A1D50
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A1DC83_2_023A1DC8
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A02383_2_023A0238
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A3C3F3_2_023A3C3F
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A18273_2_023A1827
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A2A683_2_023A2A68
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A3DE03_2_023A3DE0
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_0749F4683_2_0749F468
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_074964603_2_07496460
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_0749F0303_2_0749F030
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_07497ED83_2_07497ED8
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_0749691A3_2_0749691A
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_074964503_2_07496450
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_074964083_2_07496408
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_074964853_2_07496485
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_074963423_2_07496342
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_07495FC33_2_07495FC3
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_0749D8683_2_0749D868
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\3228047.exe 2EFF8B37B39A5384BF9A3732BD7395AF3430BD36EAFDAD4BA5CEC6F707CDD680
              Source: C:\Users\user\AppData\Roaming\3672547.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3164 -s 2172
              Source: SgjcpodWpB.exeBinary or memory string: OriginalFilename vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.232718915.000000001BB30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.216059402.0000000000908000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameppphhyf.exe" vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.224330647.0000000016543000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSubjected.exe4 vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.216972343.0000000002B20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.219468915.0000000015D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegfgfdfdg.exe2 vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.216481391.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.216752064.00000000010C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.232461994.000000001B650000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exe, 00000000.00000002.232461994.000000001B650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exeBinary or memory string: OriginalFilenameppphhyf.exe" vs SgjcpodWpB.exe
              Source: SgjcpodWpB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: SgjcpodWpB.exeStatic PE information: Section: ^KkR{X ZLIB complexity 1.00037600267
              Source: 3672547.exe.0.drStatic PE information: Section: 13qw:K: ZLIB complexity 1.00033933081
              Source: 3228047.exe.0.drStatic PE information: Section: I r8V| ZLIB complexity 1.00038164511
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/48@9/6
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile created: C:\Users\user\AppData\Roaming\3672547.exeJump to behavior
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3164
              Source: C:\Users\user\AppData\Roaming\3672547.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3DAB.tmpJump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\3672547.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\3228047.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3672547.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3672547.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3672547.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\3228047.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE masked_credit_cards (id VARCHAR,status VARCHAR,name_on_card VARCHAR,network VARCHAR,last_four VARCHAR,exp_month INTEGER DEFAULT 0,exp_year INTEGER DEFAULT 0, bank_name VARCHAR, nickname VARCHAR, card_issuer INTEGER DEFAULT 0)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE server_address_metadata (id VARCHAR NOT NULL,use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, has_converted BOOL NOT NULL DEFAULT FALSE)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE server_card_cloud_token_data ( id VARCHAR, suffix VARCHAR, exp_month INTEGER DEFAULT 0, exp_year INTEGER DEFAULT 0, card_art_url VARCHAR, instrument_token VARCHAR)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE server_card_metadata (id VARCHAR NOT NULL,use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, billing_address_id VARCHAR)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value))(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE autofill_profile_names ( guid VARCHAR, first_name VARCHAR, middle_name VARCHAR, last_name VARCHAR, full_name VARCHAR)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE keywords (id INTEGER PRIMARY KEY,short_name VARCHAR NOT NULL,keyword VARCHAR NOT NULL,favicon_url VARCHAR NOT NULL,url VARCHAR NOT NULL,safe_for_autoreplace INTEGER,originating_url VARCHAR,date_created INTEGER DEFAULT 0,usage_count INTEGER DEFAULT 0,input_encodings VARCHAR,suggest_url VARCHAR,prepopulate_id INTEGER DEFAULT 0,created_by_policy INTEGER DEFAULT 0,last_modified INTEGER DEFAULT 0,sync_guid VARCHAR,alternate_urls VARCHAR,image_url VARCHAR,search_url_post_params VARCHAR,suggest_url_post_params VARCHAR,image_url_post_params VARCHAR,new_tab_url VARCHAR,last_visited INTEGER DEFAULT 0, created_from_play_api INTEGER DEFAULT 0)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE autofill_sync_metadata (model_type INTEGER NOT NULL, storage_key VARCHAR NOT NULL, value BLOB, PRIMARY KEY (model_type, storage_key))(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE server_addresses (id VARCHAR,company_name VARCHAR,street_address VARCHAR,address_1 VARCHAR,address_2 VARCHAR,address_3 VARCHAR,address_4 VARCHAR,postal_code VARCHAR,sorting_code VARCHAR,country_code VARCHAR,language_code VARCHAR, recipient_name VARCHAR, phone_number VARCHAR)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE autofill_profiles ( guid VARCHAR PRIMARY KEY, company_name VARCHAR, street_address VARCHAR, dependent_locality VARCHAR, city VARCHAR, state VARCHAR, zipcode VARCHAR, sorting_code VARCHAR, country_code VARCHAR, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', language_code VARCHAR, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, validity_bitfield UNSIGNED NOT NULL DEFAULT 0, is_client_validity_states_updated BOOL NOT NULL DEFAULT FALSE)(;AM
              Source: 3672547.exe, 00000002.00000000.292173883.0000000003426000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE credit_cards ( guid VARCHAR PRIMARY KEY, name_on_card VARCHAR, expiration_month INTEGER, expiration_year INTEGER, card_number_encrypted BLOB, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, billing_address_id VARCHAR, nickname VARCHAR)(;AM
              Source: SgjcpodWpB.exeVirustotal: Detection: 64%
              Source: SgjcpodWpB.exeMetadefender: Detection: 31%
              Source: SgjcpodWpB.exeReversingLabs: Detection: 57%
              Source: unknownProcess created: C:\Users\user\Desktop\SgjcpodWpB.exe 'C:\Users\user\Desktop\SgjcpodWpB.exe'
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeProcess created: C:\Users\user\AppData\Roaming\3672547.exe 'C:\Users\user\AppData\Roaming\3672547.exe'
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeProcess created: C:\Users\user\AppData\Roaming\3228047.exe 'C:\Users\user\AppData\Roaming\3228047.exe'
              Source: C:\Users\user\AppData\Roaming\3672547.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3164 -s 2172
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeProcess created: C:\Users\user\AppData\Roaming\3672547.exe 'C:\Users\user\AppData\Roaming\3672547.exe' Jump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeProcess created: C:\Users\user\AppData\Roaming\3228047.exe 'C:\Users\user\AppData\Roaming\3228047.exe' Jump to behavior
              Source: C:\Users\user\AppData\Roaming\3672547.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: SgjcpodWpB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SgjcpodWpB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: System.Core.ni.pdbRSDSD source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Xml.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: 0C:\Windows\mscorlib.pdbG>Up source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb0 source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdbRSDSJ source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Security.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Xml.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Web.Extensions.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: mscorlib.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: C:\Users\user\AppData\Roaming\3672547.PDBh source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Core.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: lib.pdb.0 source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS] source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: C:\Users\user\AppData\Roaming\3672547.PDB source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdbP% source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.ni.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: System.Web.pdb source: WERAD9B.tmp.dmp.16.dr
              Source: Binary string: 3672547.PDB( source: 3672547.exe, 00000002.00000000.289517705.00000000012F2000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeUnpacked PE file: 0.2.SgjcpodWpB.exe.8e0000.0.unpack ^KkR{X:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
              Source: C:\Users\user\AppData\Roaming\3228047.exeUnpacked PE file: 3.2.3228047.exe.d0000.0.unpack I r8V|:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
              Source: SgjcpodWpB.exeStatic PE information: section name: ^KkR{X
              Source: SgjcpodWpB.exeStatic PE information: section name:
              Source: 3672547.exe.0.drStatic PE information: section name: 13qw:K:
              Source: 3672547.exe.0.drStatic PE information: section name:
              Source: 3228047.exe.0.drStatic PE information: section name: I r8V|
              Source: 3228047.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E2698 push rdx; iretd 0_2_008E269A
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E60EA push 00000004h; iretd 0_2_008E60EC
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E37FB push rsi; retf 0_2_008E37FC
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E4D2C push rsi; retf 0_2_008E4D30
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E4A22 push rbx; retf 0_2_008E4A23
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E2144 push rbx; ret 0_2_008E2145
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_008E6055 push rax; retf 0_2_008E6056
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED76F23 push 00000074h; iretd 0_2_00007FFAEED76F25
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED7157D push 00000074h; iretd 0_2_00007FFAEED7157F
              Source: C:\Users\user\Desktop\SgjcpodWpB.exeCode function: 0_2_00007FFAEED75511 push 00000074h; iretd 0_2_00007FFAEED7551B
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000EAC58 pushad ; iretd 3_2_000EAC59
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000ED874 push esi; iretd 3_2_000ED875
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000EEA93 push eax; ret 3_2_000EEA99
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000EE0A7 push cs; retf 3_2_000EE0A9
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000ED754 push ebp; iretd 3_2_000ED755
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000EABB1 push eax; retf 3_2_000EABC8
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000EBFC5 push eax; iretd 3_2_000EBFC6
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_000ED5D6 push cs; retf 3_2_000ED5DB
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD523F push 8B00BD52h; iretd 3_2_00BD5248
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD2220 push cs; ret 3_2_00BD2221
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_00BD1D8B push ecx; iretd 3_2_00BD1D8D
              Source: C:\Users\user\AppData\Roaming\3228047.exeCode function: 3_2_023A2868 push ebx; ret 3_2_023A287A
              Source: initial sampleStatic PE information: section name: ^KkR{X entropy: 7.99809588493
              Source: initial sampleStatic PE information: section name: 13qw:K: entropy: 7.99928110007
              Source: initial sampleStatic PE information: section name: I r8V| entropy: 7.99854329578