Loading ...

Play interactive tourEdit tour

Windows Analysis Report kS2dqbsDwD

Overview

General Information

Sample Name:kS2dqbsDwD (renamed file extension from none to exe)
Analysis ID:452457
MD5:888ab99280a081717ec5c5749266d1bd
SHA1:3a071aeadd42c1232ff2878d2adf7f1e4a629180
SHA256:e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
May check the online IP address of the machine
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to a URL shortener service
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • kS2dqbsDwD.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\kS2dqbsDwD.exe' MD5: 888AB99280A081717EC5C5749266D1BD)
    • 325.exe (PID: 4796 cmdline: C:\Users\user\AppData\Roaming\325.exe 325 MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 325.exe (PID: 1784 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 325.exe PID: 4796JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: 325.exe PID: 1784JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.325.exe.3b45a60.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                14.2.325.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.325.exe.3b45a60.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 14.2.325.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\325.exeReversingLabs: Detection: 33%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: kS2dqbsDwD.exeVirustotal: Detection: 20%Perma Link
                    Source: kS2dqbsDwD.exeReversingLabs: Detection: 13%
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0000000140087A90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,0_2_0000000140087B90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D080
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0000000140062320
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2390 FindFirstFileW,0_2_00000001400C2390
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D405
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D40F
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D419
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D423
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D44D
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D478
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4BE
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4DF
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D500
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,0_2_000000014004D792
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_000000014004D7E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D990
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,0_2_0000000140061A30
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,0_2_000000014004CAE0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0000000140032DC0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,0_2_000000014004DFA0

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeDNS query: name: iplogger.org
                    Performs DNS queries to domains with low reputationShow sources
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeDNS query: name: is.gd
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1125491Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1125483Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                    Source: Joe Sandbox ViewIP Address: 104.25.234.53 104.25.234.53
                    Source: Joe Sandbox ViewASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,0_2_0000000140060290
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: iplogger.org
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.org
                    Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.orgCould
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                    Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://ocsp.sectigo.com0
                    Source: 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                    Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz/
                    Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz4
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz:80/
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://aui-cdn.atlassian.com
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/is.gd
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exelq
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
                    Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmpString found in binary or memory: https://iplogger.org/1Spbs7
                    Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Spbs7%A_AppData%
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Spbs7e
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/y
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/b
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmpString found in binary or memory: https://is.gd/nKi5S3
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3$
                    Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3%A_AppData%
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3H
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363595455.0000000002BEF000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363606561.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: kS2dqbsDwD.exeString found in binary or memory: https://sectigo.com/CPS0C
                    Source: kS2dqbsDwD.exeString found in binary or memory: https://sectigo.com/CPS0D
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,0_2_00000001400053A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData,0_2_0000000140005280
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,0_2_0000000140042E80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140011052 GetKeyboardState,0_2_0000000140011052
                    Source: 325.exe, 00000002.00000002.303820429.0000000000B58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW,0_2_00000001400018BA

                    System Summary:

                    barindex
                    .NET source code contains very large stringsShow sources
                    Source: 325.exe.0.dr, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeWindow found: window name: AutoHotkeyJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,0_2_0000000140043AD0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW,0_2_000000014004438A
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043BF6 NtdllDefWindowProc_W,0_2_0000000140043BF6
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043C50 NtdllDefWindowProc_W,0_2_0000000140043C50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W,0_2_0000000140043C8B
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043CAC NtdllDefWindowProc_W,0_2_0000000140043CAC
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043CD9 NtdllDefWindowProc_W,0_2_0000000140043CD9
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle,0_2_00000001400492B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00000001400624E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB070_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400190300_2_0000000140019030
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400602900_2_0000000140060290
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400184C00_2_00000001400184C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400045300_2_0000000140004530
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400018BA0_2_00000001400018BA
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043AD00_2_0000000140043AD0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140036D500_2_0000000140036D50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140014FF00_2_0000000140014FF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A7FF80_2_00000001400A7FF8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400490400_2_0000000140049040
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400530500_2_0000000140053050
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D0800_2_000000014004D080
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400081400_2_0000000140008140
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400831500_2_0000000140083150
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400861F00_2_00000001400861F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003C2200_2_000000014003C220
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400422400_2_0000000140042240
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002B25C0_2_000000014002B25C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000C2600_2_000000014000C260
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400482700_2_0000000140048270
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004B2700_2_000000014004B270
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008B2800_2_000000014008B280
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000A2B00_2_000000014000A2B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400222C00_2_00000001400222C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400132C00_2_00000001400132C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004C2D00_2_000000014004C2D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400302E00_2_00000001400302E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000F2E00_2_000000014000F2E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003A3000_2_000000014003A300
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400203160_2_0000000140020316
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E3300_2_000000014005E330
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003B32A0_2_000000014003B32A
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006C33D0_2_000000014006C33D
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400333800_2_0000000140033380
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400963900_2_0000000140096390
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400563A00_2_00000001400563A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400883F00_2_00000001400883F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B94200_2_00000001400B9420
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004A4800_2_000000014004A480
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400424B00_2_00000001400424B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400414B00_2_00000001400414B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B04B40_2_00000001400B04B4
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400344D00_2_00000001400344D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400595100_2_0000000140059510
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E5800_2_000000014005E580
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002D5850_2_000000014002D585
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014001D5A90_2_000000014001D5A9
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400695C00_2_00000001400695C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400465D00_2_00000001400465D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400665E00_2_00000001400665E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400236300_2_0000000140023630
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400586500_2_0000000140058650
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003B6540_2_000000014003B654
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400AE6600_2_00000001400AE660
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006D6A00_2_000000014006D6A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C26980_2_00000001400C2698
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C26B00_2_00000001400C26B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C26A80_2_00000001400C26A8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400096E00_2_00000001400096E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400567190_2_0000000140056719
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400577A00_2_00000001400577A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400727F00_2_00000001400727F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400548600_2_0000000140054860
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E8F00_2_000000014005E8F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400309100_2_0000000140030910
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006C9200_2_000000014006C920
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400069380_2_0000000140006938
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000693C0_2_000000014000693C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400069400_2_0000000140006940
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D9900_2_000000014004D990
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400059D00_2_00000001400059D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005F9F20_2_000000014005F9F2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140071A100_2_0000000140071A10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140019A2E0_2_0000000140019A2E
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400BBA400_2_00000001400BBA40
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140047AB00_2_0000000140047AB0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060AF00_2_0000000140060AF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140049B400_2_0000000140049B40
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B7B9C0_2_00000001400B7B9C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002FBFC0_2_000000014002FBFC
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140059C000_2_0000000140059C00
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140055C100_2_0000000140055C10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000CC100_2_000000014000CC10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005FC250_2_000000014005FC25
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140038C500_2_0000000140038C50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004BC600_2_000000014004BC60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400BDCA80_2_00000001400BDCA8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008BCD00_2_000000014008BCD0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140041CD10_2_0000000140041CD1
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140045CF00_2_0000000140045CF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A7D2C0_2_00000001400A7D2C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004FD300_2_000000014004FD30
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003ED700_2_000000014003ED70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140079D900_2_0000000140079D90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140065D900_2_0000000140065D90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A0DC00_2_00000001400A0DC0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002ADE60_2_000000014002ADE6
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140035E600_2_0000000140035E60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140090E700_2_0000000140090E70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140067E620_2_0000000140067E62
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140051E800_2_0000000140051E80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140042E800_2_0000000140042E80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060EF00_2_0000000140060EF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004AF200_2_000000014004AF20
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003CF200_2_000000014003CF20
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140010F600_2_0000000140010F60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140046F700_2_0000000140046F70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014001BF800_2_000000014001BF80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140044FB00_2_0000000140044FB0
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_003B944F2_2_003B944F
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_003B9D5B2_2_003B9D5B
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4C5342_2_00B4C534
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4E9752_2_00B4E975
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4E9782_2_00B4E978
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_028D04502_2_028D0450
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9031C2_2_04E9031C
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9C0872_2_04E9C087
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9C0982_2_04E9C098
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_006B944F14_2_006B944F
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_006B9D5B14_2_006B9D5B
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_02B4D44814_2_02B4D448
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_02B4CB5014_2_02B4CB50
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\325.exe 20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A6D70 appears 354 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140086C40 appears 51 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A4F28 appears 34 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A9358 appears 45 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140035BF0 appears 107 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140035870 appears 77 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400C2598 appears 38 times
                    Source: kS2dqbsDwD.exeStatic PE information: invalid certificate
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 325.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exe, 00000000.00000002.306945204.0000000000880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000000.201076729.000000014013D000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOtxiH.exe2 vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.306924616.0000000000850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exeBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
                    Source: 325.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: kS2dqbsDwD.exeStatic PE information: Section: .MPRESS1 ZLIB complexity 1.00031240161
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/29@9/5
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,0_2_0000000140036D50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00000001400624E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C22C0 GetDiskFreeSpaceW,0_2_00000001400C22C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,0_2_0000000140088BA0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile created: C:\Users\user\AppData\Roaming\fieldJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBE63.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: kS2dqbsDwD.exeVirustotal: Detection: 20%
                    Source: kS2dqbsDwD.exeReversingLabs: Detection: 13%
                    Source: unknownProcess created: C:\Users\user\Desktop\kS2dqbsDwD.exe 'C:\Users\user\Desktop\kS2dqbsDwD.exe'
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeProcess created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess created: C:\Users\user\AppData\Roaming\325.exe {path}
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeProcess created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess created: C:\Users\user\AppData\Roaming\325.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    <