Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3GGQ4wTFwC

Overview

General Information

Sample Name:3GGQ4wTFwC (renamed file extension from none to exe)
Analysis ID:483893
MD5:2ac2d91af826847f3e2544b2420a814d
SHA1:79101b95f1d8171e6e5c4ce4e9d9372466a6259d
SHA256:3e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries disk information (often used to detect virtual machines)
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 3GGQ4wTFwC.exe (PID: 4124 cmdline: 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' MD5: 2AC2D91AF826847F3E2544B2420A814D)
    • AdvancedRun.exe (PID: 6128 cmdline: 'C:\Users\user\AppData\Local\Temp\5cc6f1e7-2a9b-436b-82bf-994c701b993c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5cc6f1e7-2a9b-436b-82bf-994c701b993c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3192 cmdline: 'C:\Users\user\AppData\Local\Temp\5cc6f1e7-2a9b-436b-82bf-994c701b993c\AdvancedRun.exe' /SpecialRun 4101d8 6128 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2964 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 328 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4976 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5532 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • F1385DE3.exe (PID: 5592 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' MD5: 2AC2D91AF826847F3E2544B2420A814D)
      • AdvancedRun.exe (PID: 6856 cmdline: 'C:\Users\user\AppData\Local\Temp\5ebbe2ad-7ca7-454f-943c-e13f3e9b5c45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5ebbe2ad-7ca7-454f-943c-e13f3e9b5c45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\5ebbe2ad-7ca7-454f-943c-e13f3e9b5c45\AdvancedRun.exe' /SpecialRun 4101d8 6856 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 5632 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5900 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5936 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 1132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6276 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • F1385DE3.exe (PID: 6548 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe MD5: 2AC2D91AF826847F3E2544B2420A814D)
    • powershell.exe (PID: 5288 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 3GGQ4wTFwC.exe (PID: 6320 cmdline: C:\Users\user\Desktop\3GGQ4wTFwC.exe MD5: 2AC2D91AF826847F3E2544B2420A814D)
  • svchost.exe (PID: 248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5372 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3084 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5160 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 764 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2264 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7104 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • F1385DE3.exe (PID: 6360 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' MD5: 2AC2D91AF826847F3E2544B2420A814D)
    • AdvancedRun.exe (PID: 5872 cmdline: 'C:\Users\user\AppData\Local\Temp\089107a2-3b62-4dbf-872e-473802171b69\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\089107a2-3b62-4dbf-872e-473802171b69\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6004 cmdline: 'C:\Users\user\AppData\Local\Temp\089107a2-3b62-4dbf-872e-473802171b69\AdvancedRun.exe' /SpecialRun 4101d8 5872 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6484 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4124 -ip 4124 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3696 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5592 -ip 5592 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6808 cmdline: 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' MD5: 2AC2D91AF826847F3E2544B2420A814D)
    • AdvancedRun.exe (PID: 5812 cmdline: 'C:\Users\user\AppData\Local\Temp\e0347df6-417a-43b3-8594-6630f8783e0d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0347df6-417a-43b3-8594-6630f8783e0d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 2968 cmdline: 'C:\Users\user\AppData\Local\Temp\e0347df6-417a-43b3-8594-6630f8783e0d\AdvancedRun.exe' /SpecialRun 4101d8 5812 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6304 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • powershell.exe (PID: 2884 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6876 cmdline: 'C:\Users\Public\Documents\2D17B9CF\svchost.exe' MD5: 2AC2D91AF826847F3E2544B2420A814D)
    • AdvancedRun.exe (PID: 6436 cmdline: 'C:\Users\user\AppData\Local\Temp\f95cccdc-d717-4371-838c-66879494f3b1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f95cccdc-d717-4371-838c-66879494f3b1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.382395641.00000000040E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000000.382395641.00000000040E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.3GGQ4wTFwC.exe.4159460.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.0.3GGQ4wTFwC.exe.4159460.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.0.3GGQ4wTFwC.exe.4119440.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.0.3GGQ4wTFwC.exe.4119440.5.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.0.3GGQ4wTFwC.exe.4217dd0.8.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 21 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' , ParentImage: C:\Users\user\Desktop\3GGQ4wTFwC.exe, ParentProcessId: 4124, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, ProcessId: 2964
                      Sigma detected: Conhost Parent Process ExecutionsShow sources
                      Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 2848, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6704
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' , ParentImage: C:\Users\user\Desktop\3GGQ4wTFwC.exe, ParentProcessId: 4124, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' -Force, ProcessId: 2964
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762198030753313.2964.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\3GGQ4wTFwC.exe' , ParentImage: C:\Users\user\Desktop\3GGQ4wTFwC.exe, ParentProcessId: 4124, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exe' -Force, ProcessId: 4976

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 3GGQ4wTFwC.exeVirustotal: Detection: 62%Perma Link
                      Source: 3GGQ4wTFwC.exeMetadefender: Detection: 40%Perma Link
                      Source: 3GGQ4wTFwC.exeReversingLabs: Detection: 48%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\Public\Documents\2D17B9CF\svchost.exeMetadefender: Detection: 40%Perma Link
                      Source: C:\Users\Public\Documents\2D17B9CF\svchost.exeReversingLabs: Detection: 48%
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeMetadefender: Detection: 40%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeReversingLabs: Detection: 48%
                      Machine Learning detection for sampleShow sources
                      Source: 3GGQ4wTFwC.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.exeJoe Sandbox ML: detected
                      Source: C:\Users\Public\Documents\2D17B9CF\svchost.exeJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.4217dd0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.41cacb0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.56b0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.42f7e30.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.42f7e30.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.3GGQ4wTFwC.exe.4159460.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.402286357.00000000056B0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.399560859.00000000042F7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 3GGQ4wTFwC.exe PID: 4124, type: MEMORYSTR
                      Source: 3GGQ4wTFwC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 3GGQ4wTFwC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.Utilities.Internal.pdb9 source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\89\s\obj\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbSHA256 source: 3GGQ4wTFwC.exe, 00000000.00000000.405767189.000000000688D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Utilities.Internal.pdbAbN source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: 3GGQ4wTFwC.PDB source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\3GGQ4wTFwC.PDB source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Utilities.Internal.pdb89 source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: s.pdb source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbw source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.365677675.000000000127F000.00000004.00000020.sdmp, F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: ktC:\Windows\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbW source: 3GGQ4wTFwC.exe, 00000000.00000000.404897047.0000000006840000.00000004.00000001.sdmp
                      Source: Binary string: kC:\Users\user\Desktop\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.VisualStudio.Utilities.Internal.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\89\s\obj\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdb source: F1385DE3.exe
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.Utilities.Internal.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\89\s\obj\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbndows\Start Menu\Programs\Startup\F1385DE3.PDB source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualStudio.Utilities.Internal.pdbpdbnal.pdb55e source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb~l source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\89\s\obj\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbb source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmp, AdvancedRun.exe, 00000008.00000002.295005059.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000002.294496115.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000021.00000002.410448117.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.408923633.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000002.461430590.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000000.428192383.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000032.00000002.462713793.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000002.469517886.000000000040C000.00000002.00020000.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.404897047.0000000006840000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.PDB source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2. source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\89\s\obj\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbT*r source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.Utilities.Internal.pdbeR source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbngl source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb?m7 source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbe source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb^Pm source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb`o source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbn source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405767189.000000000688D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.404897047.0000000006840000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Utilities.Internal.pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.405230023.000000000685A000.00000004.00000001.sdmp
                      Source: Binary string: F1385DE3.PDB source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: ssymbols\exe\Microsoft.VisualStudio.Utilities.Internal.pdb source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.Utilities.Internal.pdbR source: F1385DE3.exe, 00000013.00000000.476257954.0000000000A3F000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: 3GGQ4wTFwC.exe, 00000000.00000000.364477189.0000000000F58000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F1385DE3.PDBs source: F1385DE3.exe, 00000013.00000000.471161985.0000000000738000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\Desktop\3GGQ4wTFwC.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.383588832.0000000004159000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: F1385DE3.exeString found in binary or memory: http://regexlib.com/
                      Source: 3GGQ4wTFwC.exe, 00000000.00000000.366583841.0000000003071000.00000004.00000001.sdmp, F1385DE3.exe, 00000013.00000000.478344557.0000000002691000.00000004.00000001.sdmp, F1385DE3.exe, 0000001D.00000002.492070903.0000000003312000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: F1385DE3.exeString found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
                      Source: svchost.exe, 00000005.00000002.310038615.0000025C5B413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: F1385DE3.exeString found in binary or memory: http://www.codeproject.com/KB/cs/dotnetregextest.aspx
                      Source: F1385DE3.exeString found in binary or memory: http://www.codeproject.com/KB/string/regextester.aspx
                      Source: F1385DE3.exeString found in binary or memory: http://www.davidemauri.it/
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000002.294496115.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000021.00000002.410448117.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.408923633.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000002.461430590.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000000.428192383.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000032.00000002.462713793.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000002.469517886.000000000040C000.00000002.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: F1385DE3.exeString found in binary or memory: http://www.sourceforge.net/projects/regextest
                      Source: F1385DE3.exeString found in binary or memory: http://www.sourceforge.net/projects/regextester
                      Source: svchost.exe, 00000005.00000003.308734954.0000025C5B461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000005.00000003.308761447.0000025C5B449000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000005.00000003.308761447.0000025C5B449000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000005.00000003.308734954.0000025C5B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000005.00000002.310075174.0000025C5B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes