Loading ...

Play interactive tourEdit tour

Windows Analysis Report cX0XLcXbVY

Overview

General Information

Sample Name:cX0XLcXbVY (renamed file extension from none to exe)
Analysis ID:528551
MD5:df01095f6f0a0cd339c373d8b7865dca
SHA1:5b26c23addf1bcd6c76edb8c69bf562398c78c0f
SHA256:e203345d8120bd6d29e667bbceb92083ebb55e36b21cd22d669aa2f91830a656
Tags:BABADEDA-CrypterexeGoziUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)

Classification

Process Tree

  • System is w10x64
  • cX0XLcXbVY.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\cX0XLcXbVY.exe" MD5: DF01095F6F0A0CD339C373D8B7865DCA)
    • msiexec.exe (PID: 6296 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI=" MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 6244 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5240 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 466E61448170B49278D25BB3E382004E C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 4676 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 613EB8117F938DA5BF4F1D396689AB1F MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • plcd-player.exe (PID: 6692 cmdline: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe MD5: 25DDBD309BB8094229704383977C7268)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.plcd-player.exe.2fb0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              13.2.plcd-player.exe.33c94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                13.2.plcd-player.exe.33c94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 13.2.plcd-player.exe.33c94a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: cX0XLcXbVY.exeVirustotal: Detection: 47%Perma Link
                  Source: cX0XLcXbVY.exeMetadefender: Detection: 22%Perma Link
                  Source: cX0XLcXbVY.exeReversingLabs: Detection: 37%
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: cX0XLcXbVY.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllAvira: detection malicious, Label: TR/Redcap.chbhs
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeAvira: detection malicious, Label: TR/Agent.kkknq
                  Source: 13.2.plcd-player.exe.1000000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen8
                  Source: 0.3.cX0XLcXbVY.exe.3083600.1.unpackAvira: Label: TR/Patched.Ren.Gen

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack
                  Source: cX0XLcXbVY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior
                  Source: cX0XLcXbVY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: cX0XLcXbVY.exe, decoder.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: cX0XLcXbVY.exe, decoder.dll.0.dr
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
                  Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: cX0XLcXbVY.exe
                  Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: cX0XLcXbVY.exe
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
                  Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
                  Source: cX0XLcXbVY.exeString found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
                  Source: cX0XLcXbVY.exe, 00000000.00000000.345597742.0000000000C95000.00000002.00020000.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451948964.0000000000C95000.00000002.00020000.sdmpString found in binary or memory: Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt02
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootC
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                  Source: cX0XLcXbVY.exe, 00000000.00000003.356451186.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390820264.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451599928.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450250541.0000000000916000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0C
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assuP
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                  Source: cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Z0
                  Source: cX0XLcXbVY.exe, 00000000.00000002.453043589.0000000002F62000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450867423.0000000000861000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451339906.0000000000862000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: cX0XLcXbVY.exe, 00000000.00000003.353836394.0000000000913000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353758780.000000000090E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?590d46a8258e4
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://icu-project.org
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://mybusinesscatalog.com0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0B
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/ca00
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: http://t2.symcb.com0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: http://tl.symcd.com0&
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmpString found in binary or memory: http://www.MyBusinessCatalog.com
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmpString found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmpString found in binary or memory: http://www.gesmes.org/xml/2002-08-01
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.openssl.org/V
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/policy.pdf0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://aka.ms/azsdkvalueprop.
                  Source: currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
                  Source: plcd-player.exe, 0000000D.00000003.576522904.0000000000B85000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/sreamble/1yYwg5JPV/TTMEh_2Bvq0Lam2KQ1N6/CbCST3fFsNMsZldokdK/BsvHxVUlWny
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://secure.comodo.com/CPS0L
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: https://www.advancedinstaller.com
                  Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/03
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: https://www.thawte.com/cps0/
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.drString found in binary or memory: https://www.thawte.com/repository0W
                  Source: unknownDNS traffic detected: queries for: get.updates.avast.cn

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
                  Source: Yara matchFile source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
                  Source: Yara matchFile source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  PE file has a writeable .text sectionShow sources
                  Source: plcd-player.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: plcd-player.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: cX0XLcXbVY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI1625.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d1078.msiJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008E7F620_3_008E7F62
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008E7F620_3_008E7F62
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008E97900_3_008E9790
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008E7F620_3_008E7F62
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008E7F620_3_008E7F62
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBAFC013_2_02FBAFC0
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FB7FBE13_2_02FB7FBE
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FB836E13_2_02FB836E
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_0103BD6013_2_0103BD60
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_01065D7013_2_01065D70
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011D35A313_2_011D35A3
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011D348313_2_011D3483
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011B74B913_2_011B74B9
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011C44AF13_2_011C44AF
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_0104230013_2_01042300
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011AEFC113_2_011AEFC1
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_01001703 NtMapViewOfSection,13_2_01001703
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_01001C90 GetProcAddress,NtCreateSection,memset,13_2_01001C90
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_010019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,13_2_010019A0
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FB9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,13_2_02FB9A0F
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBB1E5 NtQueryVirtualMemory,13_2_02FBB1E5
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000002.452293156.0000000000CFD000.00000002.00020000.sdmpBinary or memory string: OriginalFileNameplcd-player.exe> vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450818856.00000000008B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameicuio58.dll vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUtilities_HelperlL vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.346953883.0000000000892000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450144518.00000000008B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.450313012.00000000008B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJDesktop.tools vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exeBinary or memory string: OriginalFileNameplcd-player.exe> vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exeBinary or memory string: OriginalFilenameDecoder.dllF vs cX0XLcXbVY.exe
                  Source: cX0XLcXbVY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: plcd-player.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: plcd-player.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeSection loaded: lpk.dllJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeSection loaded: libftl2.dllJump to behavior
                  Source: cX0XLcXbVY.exeStatic PE information: invalid certificate
                  Source: Delimon.Win32.IO.dll.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: cX0XLcXbVY.exeVirustotal: Detection: 47%
                  Source: cX0XLcXbVY.exeMetadefender: Detection: 22%
                  Source: cX0XLcXbVY.exeReversingLabs: Detection: 37%
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile read: C:\Users\user\Desktop\cX0XLcXbVY.exeJump to behavior
                  Source: cX0XLcXbVY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\cX0XLcXbVY.exe "C:\Users\user\Desktop\cX0XLcXbVY.exe"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 466E61448170B49278D25BB3E382004E C
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 613EB8117F938DA5BF4F1D396689AB1F
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 466E61448170B49278D25BB3E382004E CJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 613EB8117F938DA5BF4F1D396689AB1FJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) ProjectJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Local\Temp\shi7A5E.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@10/70@1/0
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.csTask registration methods: 'CreateCache', 'CreateCompleted'
                  Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.csTask registration methods: 'Create'
                  Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.csTask registration methods: 'Create'
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FB8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,13_2_02FB8F1B
                  Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmpBinary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb
                  Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                  Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: cX0XLcXbVY.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: cX0XLcXbVY.exeStatic file information: File size 7835392 > 1048576
                  Source: cX0XLcXbVY.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: cX0XLcXbVY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: cX0XLcXbVY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: cX0XLcXbVY.exe, decoder.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: cX0XLcXbVY.exe, decoder.dll.0.dr
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
                  Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: cX0XLcXbVY.exe
                  Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: cX0XLcXbVY.exe
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
                  Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
                  Source: cX0XLcXbVY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: cX0XLcXbVY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: cX0XLcXbVY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: cX0XLcXbVY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: cX0XLcXbVY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D3A80 push edi; retf 0_3_008D3A88
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D3A80 push edi; retf 0_3_008D3A88
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0639 push edx; retf 0_3_008D0641
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0639 push edx; retf 0_3_008D0641
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0678 push ebp; retf 0_3_008D0679
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0678 push ebp; retf 0_3_008D0679
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D3A80 push edi; retf 0_3_008D3A88
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D3A80 push edi; retf 0_3_008D3A88
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0639 push edx; retf 0_3_008D0641
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0639 push edx; retf 0_3_008D0641
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0678 push ebp; retf 0_3_008D0679
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeCode function: 0_3_008D0678 push ebp; retf 0_3_008D0679
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBE62F push edi; retf 13_2_02FBE630
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBAC00 push ecx; ret 13_2_02FBAC09
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBAFAF push ecx; ret 13_2_02FBAFBF
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_02FBE9AC push 0B565A71h; ret 13_2_02FBE9B1
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011E5731 push ecx; ret 13_2_011E5744
                  Source: shi7A5E.tmp.0.drStatic PE information: section name: .wpp_sf
                  Source: shi7A5E.tmp.0.drStatic PE information: section name: .didat
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_01001264 LoadLibraryA,GetProcAddress,13_2_01001264
                  Source: decoder.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x378b8
                  Source: lcms-5.0.dll.4.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
                  Source: lcms-5.0.dll.0.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
                  Source: shi7A5E.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.27378716859
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\mlJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\mlJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C63.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1D9D.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Local\Temp\shi7A5E.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1625.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7C24.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1B39.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7F13.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI18B7.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI19E0.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1B39.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C63.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1D9D.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI18B7.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1625.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI19E0.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
                  Source: Yara matchFile source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exe TID: 6980Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6832Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6784Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1C63.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI18B7.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7A5E.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI19E0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: 6d1078.msi.4.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
                  Source: cX0XLcXbVY.exe, 00000000.00000002.453449521.0000000002FA8000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.453043589.0000000002F62000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.356451186.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390820264.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451599928.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450250541.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450972250.0000000002FA8000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449981847.0000000002FA8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_6E6D6FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6E6D6FED
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_01001264 LoadLibraryA,GetProcAddress,13_2_01001264
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_6E6E5BE9 mov eax, dword ptr fs:[00000030h]13_2_6E6E5BE9
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011C6DDC mov eax, dword ptr fs:[00000030h]13_2_011C6DDC
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011B5B18 mov eax, dword ptr fs:[00000030h]13_2_011B5B18
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011FAC46 mov eax, dword ptr fs:[00000030h]13_2_011FAC46
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_6E6D6FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6E6D6FED
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_6E6C7D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6E6C7D41
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011A7C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_011A7C2C
                  Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 13_2_011B9C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_011B9C76
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="
                  Source: C:\Users\user\Desktop\cX0XLcXbVY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="Jump to behavior
                  Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                  Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock