Loading ...

Play interactive tourEdit tour

Windows Analysis Report jXzrIReInY

Overview

General Information

Sample Name:jXzrIReInY (renamed file extension from none to exe)
Analysis ID:528552
MD5:4ec77eb8280485764b6bc22f6cf7d57e
SHA1:85215638743eeb6800aaada5d057e96032db6906
SHA256:716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
Tags:BABADEDA-CrypterexeUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)

Classification

Process Tree

  • System is w10x64
  • jXzrIReInY.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\jXzrIReInY.exe" MD5: 4EC77EB8280485764B6BC22F6CF7D57E)
    • msiexec.exe (PID: 6512 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI=" MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 4360 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 4344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 4852 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • plcd-player.exe (PID: 6620 cmdline: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe MD5: 25DDBD309BB8094229704383977C7268)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      Process Memory Space: plcd-player.exe PID: 6620JoeSecurity_UrsnifYara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        17.2.plcd-player.exe.35f94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          17.2.plcd-player.exe.35f94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            17.2.plcd-player.exe.2ce0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 17.2.plcd-player.exe.2ce0000.1.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: jXzrIReInY.exeVirustotal: Detection: 52%Perma Link
              Source: jXzrIReInY.exeMetadefender: Detection: 22%Perma Link
              Source: jXzrIReInY.exeReversingLabs: Detection: 35%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: jXzrIReInY.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllAvira: detection malicious, Label: TR/Redcap.chbhs
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeAvira: detection malicious, Label: TR/Agent.kkknq
              Source: 17.2.plcd-player.exe.1a0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen8

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack
              Source: jXzrIReInY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior
              Source: jXzrIReInY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:
              Source: jXzrIReInY.exe, 00000000.00000000.257327545.0000000000435000.00000002.00020000.sdmp, jXzrIReInY.exe, 00000000.00000002.350001500.0000000000435000.00000002.00020000.sdmpString found in binary or memory: !7Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
              Source: jXzrIReInY.exeString found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt02
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0C
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: jXzrIReInY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/j
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: jXzrIReInY.exe, 00000000.00000003.266901842.0000000001600000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e63855f36c428
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://icu-project.org
              Source: jXzrIReInY.exe, 00000000.00000003.267465626.0000000001622000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.267660560.000000000163F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmpString found in binary or memory: http://locdl.windowsupdate.com/
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://mybusinesscatalog.com0
              Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0B
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: jXzrIReInY.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: jXzrIReInY.exeString found in binary or memory: http://ocsp.sectigo.com0)
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/ca00
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://t2.symcb.com0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcb.com/tl.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcb.com/tl.crt0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcd.com0&
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.MyBusinessCatalog.com
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.gesmes.org/xml/2002-08-01
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.openssl.org/V
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/policy.pdf0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://aka.ms/azsdkvalueprop.
              Source: currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
              Source: plcd-player.exe, 00000011.00000002.530727824.00000000031EB000.00000004.00000010.sdmpString found in binary or memory: https://get.u
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/
              Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/$$
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/SN
              Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/rentVersion
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ
              Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://sectigo.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://secure.comodo.com/CPS0L
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.advancedinstaller.com
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/03
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.thawte.com/cps0/
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.thawte.com/repository0W
              Source: unknownDNS traffic detected: queries for: get.updates.avast.cn
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001C03A0 RtlEnterCriticalSection,RtlLeaveCriticalSection,Sleep,select,__WSAFDIsSet,WSARecv,WSAGetLastError,RtlLeaveCriticalSection,

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY
              Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

              System Summary:

              barindex
              PE file has a writeable .text sectionShow sources
              Source: plcd-player.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: plcd-player.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Writes or reads registry keys via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: jXzrIReInY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9CCF.tmpJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e96f3.msiJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BC579B
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BC579B
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAFC0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE7FBE
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE836E
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001E0130
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003574B9
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003644AF
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00373483
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003735A3
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001D75D0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001FB960
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001CAAB0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001D6AF0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00205D70
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001DAF30
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1C90 GetProcAddress,NtCreateSection,memset,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1703 NtMapViewOfSection,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A19A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEB1E5 NtQueryVirtualMemory,
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000000.257395816.000000000049D000.00000002.00020000.sdmpBinary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameicuio58.dll vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUtilities_HelperlL vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJDesktop.tools vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exeBinary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
              Source: jXzrIReInY.exeBinary or memory string: OriginalFilenameDecoder.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: plcd-player.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: plcd-player.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\Desktop\jXzrIReInY.exeSection loaded: lpk.dll
              Source: C:\Users\user\Desktop\jXzrIReInY.exeSection loaded: tsappcmp.dll
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeSection loaded: libftl2.dll
              Source: Delimon.Win32.IO.dll.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: jXzrIReInY.exeVirustotal: Detection: 52%
              Source: jXzrIReInY.exeMetadefender: Detection: 22%
              Source: jXzrIReInY.exeReversingLabs: Detection: 35%
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Users\user\Desktop\jXzrIReInY.exeJump to behavior
              Source: jXzrIReInY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\jXzrIReInY.exe "C:\Users\user\Desktop\jXzrIReInY.exe"
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) ProjectJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user~1\AppData\Local\Temp\shi1C.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@10/70@1/0
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.csTask registration methods: 'CreateCache', 'CreateCompleted'
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.csTask registration methods: 'Create'
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.csTask registration methods: 'Create'
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.csCryptographic APIs: 'TransformBlock'
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: jXzrIReInY.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: jXzrIReInY.exeStatic file information: File size 7840296 > 1048576
              Source: jXzrIReInY.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: jXzrIReInY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015E6090 push FFFFFFB2h; ret
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015EA480 pushad ; ret
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015DB03B push FFFFFF96h; ret
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015EA2AA pushad ; ret
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAC00 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEE62F push edi; retf
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAFAF push ecx; ret
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEE9AC push 0B565A71h; ret
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00385731 push ecx; ret
              Source: shi1C.tmp.0.drStatic PE information: section name: .wpp_sf
              Source: shi1C.tmp.0.drStatic PE information: section name: .didat
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1264 LoadLibraryA,GetProcAddress,
              Source: decoder.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x378b8
              Source: lcms-5.0.dll.4.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
              Source: lcms-5.0.dll.0.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
              Source: jXzrIReInY.exeStatic PE information: real checksum: 0x7889d0 should be: 0x786e21
              Source: shi1C.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.27378716859
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\mlJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\mlJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\shi1C.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA6F5.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI1B4.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4D2.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CCF.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA463.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CCF.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA6F5.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA463.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\jXzrIReInY.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\jXzrIReInY.exe TID: 7100Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6676Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 1404Thread sleep time: -240000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 2192Thread sleep count: 33 > 30
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1C.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000
              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 30000
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
              Source: MSIA463.tmp.4.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
              Source: jXzrIReInY.exe, jXzrIReInY.exe, 00000000.00000003.348852801.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349301089.00000000015DF000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304222076.00000000015DA000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349152083.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266915772.0000000001612000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349183450.0000000001603000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349121259.00000000015DE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350825569.0000000001613000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350733762.00000000015E1000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304259450.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348370669.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348413205.00000000015FE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1264 LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00202090 GetProcessHeap,RtlAllocateHeap,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA85BE9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00355B18 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00366DDC mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_0039AC46 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA67D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00347C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00359C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\jXzrIReInY.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE7A2E cpuid
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001C10D0 WSAIoctl,bind,PostQueuedCompletionStatus,RtlEnterCriticalSection,RtlLeaveCriticalSection,WSAGetLastError,ioctlsocket,connect,
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001BF6D0 WSASocketW,setsockopt,bind,getsockname,listen,WSASocketW,connect,accept,ioctlsocket,setsockopt,ioctlsocket,setsockopt,

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1Scheduled Task/Job1Process Injection2Deobfuscate/Decode Files or Information1LSASS MemoryPeripheral Device Discovery11Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSystem Information Discovery35SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncSecurity Software Discovery21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading31Proc FilesystemVirtualization/Sandbox Evasion21Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection2Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
              Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 528552 Sample: jXzrIReInY Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 7 other signatures 2->44 6 msiexec.exe 28 53 2->6         started        9 jXzrIReInY.exe 66 2->9         started        process3 file4 20 C:\Users\user\AppData\...\plcd-player.exe, PE32 6->20 dropped 22 C:\Windows\Installer\MSIA6F5.tmp, PE32 6->22 dropped 24 C:\Windows\Installer\MSIA5CB.tmp, PE32 6->24 dropped 32 14 other files (none is malicious) 6->32 dropped 11 plcd-player.exe 6 6->11         started        14 msiexec.exe 6->14         started        16 msiexec.exe 6->16         started        26 C:\Users\user\AppData\...\plcd-player.exe, PE32 9->26 dropped 28 C:\Users\user\AppData\...\lcms-5.0.dll, PE32 9->28 dropped 30 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 9->30 dropped 34 12 other files (none is malicious) 9->34 dropped 18 msiexec.exe 2 9->18         started        process5 dnsIp6 36 get.updates.avast.cn 11->36

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              jXzrIReInY.exe52%VirustotalBrowse
              jXzrIReInY.exe23%MetadefenderBrowse
              jXzrIReInY.exe36%ReversingLabsWin32.Trojan.Chapak
              jXzrIReInY.exe100%AviraTR/Agent.llseq

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll100%AviraTR/Redcap.chbhs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe100%AviraTR/Agent.kkknq
              C:\Users\user\AppData\Local\Temp\MSI1B4.tmp0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\MSI1B4.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\MSI4D2.tmp0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\MSI4D2.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\shi1C.tmp0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\shi1C.tmp0%ReversingLabs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll0%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              17.2.plcd-player.exe.2ce0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
              17.2.plcd-player.exe.1a0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen8Download File

              Domains

              SourceDetectionScannerLabelLink
              windowsupdate.s.llnwi.net0%VirustotalBrowse
              get.updates.avast.cn0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ0%Avira URL Cloudsafe
              http://crl.startssl.com/sfsca.crl0C0%VirustotalBrowse
              http://crl.startssl.com/sfsca.crl0C0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://currencysystem.com/gfx/pub/script-icon-16x16.gif0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
              http://www.ecb.int/vocabulary/2002-08-01/eurofxref0%Avira URL Cloudsafe
              https://currencysystem.com/gfx/pub/script-button-88x31.gif0%Avira URL Cloudsafe
              http://aia.startssl.com/certs/sub.class2.code.ca.crt0#0%Avira URL Cloudsafe
              http://mybusinesscatalog.com00%Avira URL Cloudsafe
              https://sectigo.com/CPS0D0%URL Reputationsafe
              http://www.startssl.com/policy.pdf00%Avira URL Cloudsafe
              https://currencysystem.com/gfx/pub/script-button-88x31.png0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%Avira URL Cloudsafe
              http://ocsp.startssl.com/sub/class2/code/ca00%Avira URL Cloudsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://get.updates.avast.cn/$$0%Avira URL Cloudsafe
              http://www.gesmes.org/xml/2002-08-010%Avira URL Cloudsafe
              http://ocsp.startssl.com/ca000%URL Reputationsafe
              http://crl.startssl.com/crtc2-crl.crl00%Avira URL Cloudsafe
              http://ocsp.sectigo.com0)0%Avira URL Cloudsafe
              http://www.MyBusinessCatalog.com0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
              https://currencysystem.com/gfx/pub/script-icon-16x16.png0%Avira URL Cloudsafe
              https://get.updates.avast.cn/SN0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
              http://aia.startssl.com/certs/ca.crt020%URL Reputationsafe
              http://www.startssl.com/00%Avira URL Cloudsafe
              https://get.updates.avast.cn/0%Avira URL Cloudsafe
              https://get.updates.avast.cn/rentVersion0%Avira URL Cloudsafe
              https://currencysystem.com0%Avira URL Cloudsafe
              https://get.u0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              windowsupdate.s.llnwi.net
              178.79.225.128
              truefalseunknown
              get.updates.avast.cn
              unknown
              unknowntrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                high
                https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZplcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://crl.startssl.com/sfsca.crl0CjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0jXzrIReInY.exefalse
                • URL Reputation: safe
                unknown
                http://ocsp.sectigo.com0jXzrIReInY.exefalse
                • URL Reputation: safe
                unknown
                http://www.openssl.org/VjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                  high
                  http://www.unicode.org/copyright.htmljXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                    high
                    https://currencysystem.com/gfx/pub/script-icon-16x16.gifjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#jXzrIReInY.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#jXzrIReInY.exefalse
                    • URL Reputation: safe
                    unknown
                    http://www.ecb.int/vocabulary/2002-08-01/eurofxrefjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.openssl.org/support/faq.htmljXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                      high
                      https://currencysystem.com/gfx/pub/script-button-88x31.gifjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://aia.startssl.com/certs/sub.class2.code.ca.crt0#jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.nuget.org/packages/Azure.Security.KeyVault.SecretsjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drfalse
                        high
                        http://mybusinesscatalog.com0jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://sectigo.com/CPS0DjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSIjXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpfalse
                          high
                          http://www.startssl.com/policy.pdf0jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://currencysystem.com/gfx/pub/script-button-88x31.pngjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XMLjXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpfalse
                            high
                            http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0jXzrIReInY.exefalse
                            • Avira URL Cloud: safe
                            unknown
                            http://ocsp.startssl.com/sub/class2/code/ca0jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://sectigo.com/CPS0jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.drfalse
                            • URL Reputation: safe
                            unknown
                            http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpfalse
                              high
                              https://get.updates.avast.cn/$$plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://www.nuget.org/packages/Azure.Security.KeyVault.KeysjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drfalse
                                high
                                http://www.gesmes.org/xml/2002-08-01jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://ocsp.startssl.com/ca00jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://aka.ms/azsdkvalueprop.jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drfalse
                                  high
                                  http://crl.startssl.com/crtc2-crl.crl0jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://ocsp.sectigo.com0)jXzrIReInY.exefalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://icu-project.orgjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.MyBusinessCatalog.comjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://www.nuget.org/packages/Azure.Security.KeyVault.CertificatesjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drfalse
                                      high
                                      https://currencysystem.com/gfx/pub/script-icon-16x16.pngjXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://get.updates.avast.cn/SNplcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://www.thawte.com/cps0/jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drfalse
                                        high
                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://www.thawte.com/repository0WjXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drfalse
                                          high
                                          http://aia.startssl.com/certs/ca.crt02jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://www.advancedinstaller.comjXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drfalse
                                            high
                                            https://secure.comodo.com/CPS0LjXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drfalse
                                              high
                                              http://www.startssl.com/0jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://get.updates.avast.cn/plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://get.updates.avast.cn/rentVersionplcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://currencysystem.comcurrencysystem5.json.0.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://get.uplcd-player.exe, 00000011.00000002.530727824.00000000031EB000.00000004.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:528552
                                              Start date:25.11.2021
                                              Start time:13:49:18
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 25s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:jXzrIReInY (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:28
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@10/70@1/0
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 4.9% (good quality ratio 4.8%)
                                              • Quality average: 73.1%
                                              • Quality standard deviation: 26.8%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 92.122.145.220, 173.222.108.226, 173.222.108.210
                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              13:50:26API Interceptor1x Sleep call for process: jXzrIReInY.exe modified
                                              13:51:02API Interceptor2x Sleep call for process: plcd-player.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              windowsupdate.s.llnwi.netm5AlAQ7Q8p.exeGet hashmaliciousBrowse
                                              • 95.140.230.128
                                              0BPXSzHXZE.exeGet hashmaliciousBrowse
                                              • 95.140.230.128
                                              hdgqcfpqji.exeGet hashmaliciousBrowse
                                              • 178.79.225.0
                                              lhvzcskYLPyellowfacebrownietacohead.dllGet hashmaliciousBrowse
                                              • 95.140.236.128
                                              INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                              • 178.79.225.128
                                              nXOpgPAbKC.dllGet hashmaliciousBrowse
                                              • 178.79.242.128
                                              yezVNLNobB.dllGet hashmaliciousBrowse
                                              • 178.79.242.128
                                              d2EyAMvU47.dllGet hashmaliciousBrowse
                                              • 95.140.236.128
                                              5Fp1yvQlGM.dllGet hashmaliciousBrowse
                                              • 178.79.242.0
                                              IQKuIlAiRd.dllGet hashmaliciousBrowse
                                              • 178.79.242.128
                                              BKHDGAM73508.vbsGet hashmaliciousBrowse
                                              • 95.140.236.128
                                              DHL Shipping Document.exeGet hashmaliciousBrowse
                                              • 178.79.242.128
                                              DHL Delivery Doc.exeGet hashmaliciousBrowse
                                              • 178.79.242.0
                                              KgtyOfJo2W.dllGet hashmaliciousBrowse
                                              • 95.140.236.128
                                              h5ZcTHDXbJ.dllGet hashmaliciousBrowse
                                              • 95.140.236.128
                                              SCygJvetwW.dllGet hashmaliciousBrowse
                                              • 178.79.242.0
                                              56ccc26e09e1216a0a310091d538c178ae68492ebc6bb.exeGet hashmaliciousBrowse
                                              • 178.79.242.0
                                              DOC_1003394276473336675207.docmGet hashmaliciousBrowse
                                              • 95.140.236.0
                                              details_2229.xlsbGet hashmaliciousBrowse
                                              • 178.79.242.0
                                              items.docGet hashmaliciousBrowse
                                              • 178.79.242.128

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\MSI1B4.tmpL5Q0nTmSYF.exeGet hashmaliciousBrowse
                                                m5AlAQ7Q8p.exeGet hashmaliciousBrowse
                                                  KlLljqCnUf.exeGet hashmaliciousBrowse
                                                    769sEMcQXR.exeGet hashmaliciousBrowse
                                                      3kRLUW6m5a.exeGet hashmaliciousBrowse
                                                        hdgqcfpqji.exeGet hashmaliciousBrowse
                                                          yRqHWQ91dT.exeGet hashmaliciousBrowse
                                                            o4c8AUtX1g.exeGet hashmaliciousBrowse
                                                              farcry6_repack.exeGet hashmaliciousBrowse
                                                                C:\Users\user\AppData\Local\Temp\MSI4D2.tmpcX0XLcXbVY.exeGet hashmaliciousBrowse
                                                                  L5Q0nTmSYF.exeGet hashmaliciousBrowse
                                                                    m5AlAQ7Q8p.exeGet hashmaliciousBrowse
                                                                      KlLljqCnUf.exeGet hashmaliciousBrowse
                                                                        769sEMcQXR.exeGet hashmaliciousBrowse
                                                                          3kRLUW6m5a.exeGet hashmaliciousBrowse
                                                                            hdgqcfpqji.exeGet hashmaliciousBrowse
                                                                              o4c8AUtX1g.exeGet hashmaliciousBrowse
                                                                                farcry6_repack.exeGet hashmaliciousBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\3e96f5.rbs
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):5179
                                                                                  Entropy (8bit):5.646075332370666
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:+UblaV4pDyj0onGIlKjeRhmgKpdGUO7PVRTl0Afk8Gy/W9DJzEgGMe0nTVw/r04U:+Uvp2j0on2jeRhmgSGUO7NRTSAs8Gy/c
                                                                                  MD5:A44D4B86A5F1C60E3C03BD1622C56A04
                                                                                  SHA1:3146AD6015538397C20ED912EFA484745DB1D756
                                                                                  SHA-256:976E88DAC72E3E7AC6B2399066B7180E5F52400E5ED4CA380AD844D33B5978BD
                                                                                  SHA-512:7FEB4D5AE07BF189C9B32804EAF0960DB70D466E6CDF1D1D38C67A6B22EFEDCE59B8FCBAC425FA648CEABF3F328B0429A460E74D0908815F9298CD9CEBD6A824
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ...@IXOS.@.....@ZnyS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{D0054317-E107-45C9-BD82-07B794597760}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{4CE558F3-30D7-4710-8A30-53FF7CA0A97F}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{A396B091-4840-44D8-ADD7-69BE85386878}&.{4A523951-0A2F-4D65-A3
                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                                                  Category:dropped
                                                                                  Size (bytes):61414
                                                                                  Entropy (8bit):7.995245868798237
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                                                  MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                                                  SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                                                  SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                                                  SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):3.0944535883568105
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kKgl7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:o79kPlE99SNxAhUeYlUSA/t
                                                                                  MD5:B39D2A576D114D01CC782C8A3C9A4EBF
                                                                                  SHA1:3A6748FCED922413C2310733C19505213B3E68F8
                                                                                  SHA-256:0A38BF1EFDBE38B3ED2C5632C5B55C6237171A019D35A6E92CFC6EF19894807E
                                                                                  SHA-512:B41F25324078467D81FC645716D35EFFF283C2EE5D00C0512167CB3B70D99E4EDF663CDD766E52BF44552EC3D6727FADF4ACA7A167D9303005F39070752018F4
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: p...... ........,.itF...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                                                                                  C:\Users\user\AppData\Local\Temp\MSI1B4.tmp
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402912
                                                                                  Entropy (8bit):6.383799484265228
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
                                                                                  MD5:3D24A2AF1FB93F9960A17D6394484802
                                                                                  SHA1:EE74A6CEEA0853C47E12802961A7A8869F7F0D69
                                                                                  SHA-256:8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
                                                                                  SHA-512:F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: L5Q0nTmSYF.exe, Detection: malicious, Browse
                                                                                  • Filename: m5AlAQ7Q8p.exe, Detection: malicious, Browse
                                                                                  • Filename: KlLljqCnUf.exe, Detection: malicious, Browse
                                                                                  • Filename: 769sEMcQXR.exe, Detection: malicious, Browse
                                                                                  • Filename: 3kRLUW6m5a.exe, Detection: malicious, Browse
                                                                                  • Filename: hdgqcfpqji.exe, Detection: malicious, Browse
                                                                                  • Filename: yRqHWQ91dT.exe, Detection: malicious, Browse
                                                                                  • Filename: o4c8AUtX1g.exe, Detection: malicious, Browse
                                                                                  • Filename: farcry6_repack.exe, Detection: malicious, Browse
                                                                                  Reputation:low
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\MSI4D2.tmp
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):887264
                                                                                  Entropy (8bit):6.436854443892135
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
                                                                                  MD5:0BE6E02D01013E6140E38571A4DA2545
                                                                                  SHA1:9149608D60CA5941010E33E01D4FDC7B6C791BEA
                                                                                  SHA-256:3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
                                                                                  SHA-512:F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: cX0XLcXbVY.exe, Detection: malicious, Browse
                                                                                  • Filename: L5Q0nTmSYF.exe, Detection: malicious, Browse
                                                                                  • Filename: m5AlAQ7Q8p.exe, Detection: malicious, Browse
                                                                                  • Filename: KlLljqCnUf.exe, Detection: malicious, Browse
                                                                                  • Filename: 769sEMcQXR.exe, Detection: malicious, Browse
                                                                                  • Filename: 3kRLUW6m5a.exe, Detection: malicious, Browse
                                                                                  • Filename: hdgqcfpqji.exe, Detection: malicious, Browse
                                                                                  • Filename: o4c8AUtX1g.exe, Detection: malicious, Browse
                                                                                  • Filename: farcry6_repack.exe, Detection: malicious, Browse
                                                                                  Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\shi1C.tmp
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3440640
                                                                                  Entropy (8bit):6.332754172601424
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                                                                  MD5:59A74284EACB95118CEDD7505F55E38F
                                                                                  SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                                                                  SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                                                                  SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):62088
                                                                                  Entropy (8bit):5.87884188749315
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
                                                                                  MD5:5AEB79663EA837F8A7A98DC04674B37A
                                                                                  SHA1:536C24EF0572354E922A8C4A09CF5350D8A6164D
                                                                                  SHA-256:E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
                                                                                  SHA-512:25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................|.......H.......$b.............................................................v.~....}.....(.....r...p(....*.r...p*.r...p*..{....*Br...p(.........*"..(....*&...(....*:..o.....(....*:........(....*B..........(....*&...(....*..(....*F.(....s....( ...*b.(....s....%.o!...( ...*6.(.....( ...*6..s....(....*R..s....%.o!...(....*&...( ...*:...s....(....*V...s....%.o!...(....**....("...*>....s....(....*^....s....%..o!...(....*2......(#...*.s$...*"..(%...*.0..........(.....(.........(...+*..
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1569
                                                                                  Entropy (8bit):5.078244393355221
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
                                                                                  MD5:734B7CB601EA82D8B4A9926373323B06
                                                                                  SHA1:37490788B803335FA3AAD761B3EA0010889B2D8D
                                                                                  SHA-256:90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
                                                                                  SHA-512:273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
                                                                                  Malicious:false
                                                                                  Preview: Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):940032
                                                                                  Entropy (8bit):7.265468453378986
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
                                                                                  MD5:40C4EA80985E48C095D9F3AF80215C12
                                                                                  SHA1:B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
                                                                                  SHA-256:2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
                                                                                  SHA-512:8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....*J.s....}'....(....*..0..)........{-........(....t......|-.....(...+...3.*....0..)........{-........(....t......|-.....(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):200704
                                                                                  Entropy (8bit):5.683688089372797
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4532
                                                                                  Entropy (8bit):4.840297093762095
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
                                                                                  MD5:54A36434CA791404E0EE1894A7FB257A
                                                                                  SHA1:E99BA6366C22F9E4693F6317352EAA5854F0F429
                                                                                  SHA-256:5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
                                                                                  SHA-512:87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
                                                                                  Malicious:false
                                                                                  Preview: MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):16968
                                                                                  Entropy (8bit):6.369067823836705
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
                                                                                  MD5:FEC0A2AB4AB150DAD477E0D4885637CE
                                                                                  SHA1:5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
                                                                                  SHA-256:746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
                                                                                  SHA-512:11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.....*.....*.....*.....*...?.*...\.*.....*.....*.......................[.............................................<...................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):24200
                                                                                  Entropy (8bit):6.286319408230414
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
                                                                                  MD5:EDCEB39D12707299F6501AE9472A2FD1
                                                                                  SHA1:F4BE70378AF9FEA7355307CF66E0F5A50590E974
                                                                                  SHA-256:FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
                                                                                  SHA-512:08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8*..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R|RY.r..d.(...._..h4.*...sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._|n....{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:modified
                                                                                  Size (bytes):35016
                                                                                  Entropy (8bit):6.54246973766738
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
                                                                                  MD5:85F6F590B5C4B8C7253E9C403C9BE607
                                                                                  SHA1:D5A9DB942A50C8821BACD7F6030202C57EC4708B
                                                                                  SHA-256:D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
                                                                                  SHA-512:9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....*R..r...p.(.....(...+*N..r...p.(....(...+*R..r...p.(.....(...+*Z...r...p.(......(...+*Z...r...p.(......(...+*..0..$...........(...+..-.........*..o..........*.0..............(...+..-.s....z.o....*...0..............(...+..-.s....z.o....*...0..............(...+..-..*.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem4.js
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):18727
                                                                                  Entropy (8bit):5.228912164616093
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
                                                                                  MD5:E001FBA3F73ADB83B5B9DCD2A32F1C7B
                                                                                  SHA1:D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
                                                                                  SHA-256:60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
                                                                                  SHA-512:6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
                                                                                  Malicious:false
                                                                                  Preview: /*...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6..*/....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.js
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):18850
                                                                                  Entropy (8bit):5.252718939622608
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
                                                                                  MD5:866B6E8A186BE6005A140CFE9F578CD8
                                                                                  SHA1:E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
                                                                                  SHA-256:0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
                                                                                  SHA-512:BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
                                                                                  Malicious:false
                                                                                  Preview: /*...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2..*/....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.json
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):635
                                                                                  Entropy (8bit):4.968896753287593
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
                                                                                  MD5:D5BE63A1E66E4D6597F49BFD15EB3D83
                                                                                  SHA1:6B0D0E3101EDB0C92C14691745765DE49CDB7C01
                                                                                  SHA-256:A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
                                                                                  SHA-512:6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
                                                                                  Malicious:false
                                                                                  Preview: {...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\ecb-eurofxref-daily.xml
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):403
                                                                                  Entropy (8bit):5.022779704233175
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
                                                                                  MD5:376F44C2269588374F0F7E876BB3CFFA
                                                                                  SHA1:1241AC750F7CA447D7A74EB516838C39516AA841
                                                                                  SHA-256:3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
                                                                                  SHA-512:744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
                                                                                  Malicious:false
                                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                  Category:dropped
                                                                                  Size (bytes):2233856
                                                                                  Entropy (8bit):6.540847260876917
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
                                                                                  MD5:9AFC8137B547561655D454AFF862E567
                                                                                  SHA1:2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
                                                                                  SHA-256:86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
                                                                                  SHA-512:91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
                                                                                  Malicious:false
                                                                                  Preview: ......................>...................#...................................I.......v.......................................................................................................................|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\help.chm
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:MS Windows HtmlHelp Data
                                                                                  Category:dropped
                                                                                  Size (bytes):325845
                                                                                  Entropy (8bit):7.966997729785747
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
                                                                                  MD5:DF113262CBB4AD90D0D889620BDEFB06
                                                                                  SHA1:D94D2111F9FD566941FF96DBA6237D126591E512
                                                                                  SHA-256:195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
                                                                                  SHA-512:B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
                                                                                  Malicious:false
                                                                                  Preview: ITSF....`..........g.......|.{.......".....|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):54224
                                                                                  Entropy (8bit):6.686697566242328
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
                                                                                  MD5:249D164D4361F1BBF827331A2C5B8E64
                                                                                  SHA1:225AE2D2E277B817962D3A65666706BDF7AE6067
                                                                                  SHA-256:492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
                                                                                  SHA-512:16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4993536
                                                                                  Entropy (8bit):6.871255823719978
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
                                                                                  MD5:B6723B31F67956E747493BC64F2C7A59
                                                                                  SHA1:72389ECF849BFDA364E84258E5857A3DF07E5BFC
                                                                                  SHA-256:3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
                                                                                  SHA-512:E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A...*...A...*...A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1379352
                                                                                  Entropy (8bit):6.864605291373112
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
                                                                                  MD5:7CC7637AB23A01396206E82EF45CDA0E
                                                                                  SHA1:209CC6CE91E24383213F1C2456D43E48BD09B8C4
                                                                                  SHA-256:E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
                                                                                  SHA-512:E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PDF document, version 1.5
                                                                                  Category:dropped
                                                                                  Size (bytes):418532
                                                                                  Entropy (8bit):7.992704655006582
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
                                                                                  MD5:EF946663D3A336BDACB512BF32C8F8F2
                                                                                  SHA1:1A02B2DEE5CD8815BA977A09505F0B38FEA27665
                                                                                  SHA-256:0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
                                                                                  SHA-512:B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
                                                                                  Malicious:false
                                                                                  Preview: %PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.|....h..H.E...m.P\q.........d.r..fe.n....%..........*.y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(*&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$i*N._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP.*.. .Hu;u.f..?...)L......U.P.y..1|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3768184
                                                                                  Entropy (8bit):6.323324235457555
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
                                                                                  MD5:25DDBD309BB8094229704383977C7268
                                                                                  SHA1:1574D860469EE784034093199DC9533543E5C096
                                                                                  SHA-256:8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
                                                                                  SHA-512:16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):349720
                                                                                  Entropy (8bit):6.600820777591867
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
                                                                                  MD5:F0AED1A32121A577594ECD66980C3ED3
                                                                                  SHA1:288954A8D6F48639B7605488D2796B14291507E5
                                                                                  SHA-256:D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
                                                                                  SHA-512:056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.451841062476738
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:Xnc8s5yYYVegTR5eO29YoYhNsli0rCckZ9uNDOQH5TmIKO+mAwzvX5Q+M9/:fV79tRUi7ckZSFxPtM9
                                                                                  MD5:454418EBD68A4E905DC2B9B2E5E1B28C
                                                                                  SHA1:A54CB6A80D9B95451E2224B6D95DE809C12C9957
                                                                                  SHA-256:73D5F96A6A30BBD42752BFFC7F20DB61C8422579BF8A53741488BE34B73E1409
                                                                                  SHA-512:171F85D6F6C44ACC90D80BA4E6220D747E1F4FF4C49A6E8121738E8260F4FCEB01FF2C97172F8A3B20E40E6F6ED29A0397D0C6E5870A9EBFF7B7FB6FAF20C647
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z.............................r.@.....@.....@.x.........@.....Rich..................PE..L.....Ia.........."!.....X...................p............................................@.........................p...........<....p.. ...............................p........................... ...@............p..t............................text...\V.......X.................. ..`.rdata..\....p.......\..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\holder0.aiph
                                                                                  Process:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):12613117
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:5EB8E16CA980C4FD12FB68F5BDEA2453
                                                                                  SHA1:A28C1272997B3EE0AFE2C4FB9FBA8153BAE0D6B2
                                                                                  SHA-256:6FAE30A56DA63F2DDB1E8BA7B636EA0167B8DDEA08F4F600E81DC6393CB624A4
                                                                                  SHA-512:91245C324225023A98B3A5CCA52F07660D2AB740884BF84083E65347DC8FF9F12322A908D52D6D91D2933834A01AB851816EDDA01229710C3D0FB675F563065F
                                                                                  Malicious:false
                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):62088
                                                                                  Entropy (8bit):5.87884188749315
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
                                                                                  MD5:5AEB79663EA837F8A7A98DC04674B37A
                                                                                  SHA1:536C24EF0572354E922A8C4A09CF5350D8A6164D
                                                                                  SHA-256:E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
                                                                                  SHA-512:25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................|.......H.......$b.............................................................v.~....}.....(.....r...p(....*.r...p*.r...p*..{....*Br...p(.........*"..(....*&...(....*:..o.....(....*:........(....*B..........(....*&...(....*..(....*F.(....s....( ...*b.(....s....%.o!...( ...*6.(.....( ...*6..s....(....*R..s....%.o!...(....*&...( ...*:...s....(....*V...s....%.o!...(....**....("...*>....s....(....*^....s....%..o!...(....*2......(#...*.s$...*"..(%...*.0..........(.....(.........(...+*..
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1569
                                                                                  Entropy (8bit):5.078244393355221
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
                                                                                  MD5:734B7CB601EA82D8B4A9926373323B06
                                                                                  SHA1:37490788B803335FA3AAD761B3EA0010889B2D8D
                                                                                  SHA-256:90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
                                                                                  SHA-512:273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
                                                                                  Malicious:false
                                                                                  Preview: Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):940032
                                                                                  Entropy (8bit):7.265468453378986
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
                                                                                  MD5:40C4EA80985E48C095D9F3AF80215C12
                                                                                  SHA1:B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
                                                                                  SHA-256:2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
                                                                                  SHA-512:8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....*J.s....}'....(....*..0..)........{-........(....t......|-.....(...+...3.*....0..)........{-........(....t......|-.....(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):200704
                                                                                  Entropy (8bit):5.683688089372797
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4532
                                                                                  Entropy (8bit):4.840297093762095
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
                                                                                  MD5:54A36434CA791404E0EE1894A7FB257A
                                                                                  SHA1:E99BA6366C22F9E4693F6317352EAA5854F0F429
                                                                                  SHA-256:5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
                                                                                  SHA-512:87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
                                                                                  Malicious:false
                                                                                  Preview: MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):16968
                                                                                  Entropy (8bit):6.369067823836705
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
                                                                                  MD5:FEC0A2AB4AB150DAD477E0D4885637CE
                                                                                  SHA1:5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
                                                                                  SHA-256:746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
                                                                                  SHA-512:11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.....*.....*.....*.....*...?.*...\.*.....*.....*.......................[.............................................<...................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):24200
                                                                                  Entropy (8bit):6.286319408230414
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
                                                                                  MD5:EDCEB39D12707299F6501AE9472A2FD1
                                                                                  SHA1:F4BE70378AF9FEA7355307CF66E0F5A50590E974
                                                                                  SHA-256:FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
                                                                                  SHA-512:08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8*..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R|RY.r..d.(...._..h4.*...sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._|n....{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):35016
                                                                                  Entropy (8bit):6.54246973766738
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
                                                                                  MD5:85F6F590B5C4B8C7253E9C403C9BE607
                                                                                  SHA1:D5A9DB942A50C8821BACD7F6030202C57EC4708B
                                                                                  SHA-256:D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
                                                                                  SHA-512:9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....*R..r...p.(.....(...+*N..r...p.(....(...+*R..r...p.(.....(...+*Z...r...p.(......(...+*Z...r...p.(......(...+*..0..$...........(...+..-.........*..o..........*.0..............(...+..-.s....z.o....*...0..............(...+..-.s....z.o....*...0..............(...+..-..*.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem4.js
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):18727
                                                                                  Entropy (8bit):5.228912164616093
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
                                                                                  MD5:E001FBA3F73ADB83B5B9DCD2A32F1C7B
                                                                                  SHA1:D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
                                                                                  SHA-256:60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
                                                                                  SHA-512:6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
                                                                                  Malicious:false
                                                                                  Preview: /*...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6..*/....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.js
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):18850
                                                                                  Entropy (8bit):5.252718939622608
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
                                                                                  MD5:866B6E8A186BE6005A140CFE9F578CD8
                                                                                  SHA1:E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
                                                                                  SHA-256:0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
                                                                                  SHA-512:BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
                                                                                  Malicious:false
                                                                                  Preview: /*...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2..*/....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.json
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):635
                                                                                  Entropy (8bit):4.968896753287593
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
                                                                                  MD5:D5BE63A1E66E4D6597F49BFD15EB3D83
                                                                                  SHA1:6B0D0E3101EDB0C92C14691745765DE49CDB7C01
                                                                                  SHA-256:A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
                                                                                  SHA-512:6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
                                                                                  Malicious:false
                                                                                  Preview: {...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\ecb-eurofxref-daily.xml
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):403
                                                                                  Entropy (8bit):5.022779704233175
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
                                                                                  MD5:376F44C2269588374F0F7E876BB3CFFA
                                                                                  SHA1:1241AC750F7CA447D7A74EB516838C39516AA841
                                                                                  SHA-256:3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
                                                                                  SHA-512:744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
                                                                                  Malicious:false
                                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\help.chm
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows HtmlHelp Data
                                                                                  Category:dropped
                                                                                  Size (bytes):325845
                                                                                  Entropy (8bit):7.966997729785747
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
                                                                                  MD5:DF113262CBB4AD90D0D889620BDEFB06
                                                                                  SHA1:D94D2111F9FD566941FF96DBA6237D126591E512
                                                                                  SHA-256:195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
                                                                                  SHA-512:B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
                                                                                  Malicious:false
                                                                                  Preview: ITSF....`..........g.......|.{.......".....|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):54224
                                                                                  Entropy (8bit):6.686697566242328
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
                                                                                  MD5:249D164D4361F1BBF827331A2C5B8E64
                                                                                  SHA1:225AE2D2E277B817962D3A65666706BDF7AE6067
                                                                                  SHA-256:492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
                                                                                  SHA-512:16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4993536
                                                                                  Entropy (8bit):6.871255823719978
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
                                                                                  MD5:B6723B31F67956E747493BC64F2C7A59
                                                                                  SHA1:72389ECF849BFDA364E84258E5857A3DF07E5BFC
                                                                                  SHA-256:3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
                                                                                  SHA-512:E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A...*...A...*...A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1379352
                                                                                  Entropy (8bit):6.864605291373112
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
                                                                                  MD5:7CC7637AB23A01396206E82EF45CDA0E
                                                                                  SHA1:209CC6CE91E24383213F1C2456D43E48BD09B8C4
                                                                                  SHA-256:E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
                                                                                  SHA-512:E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PDF document, version 1.5
                                                                                  Category:dropped
                                                                                  Size (bytes):418532
                                                                                  Entropy (8bit):7.992704655006582
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
                                                                                  MD5:EF946663D3A336BDACB512BF32C8F8F2
                                                                                  SHA1:1A02B2DEE5CD8815BA977A09505F0B38FEA27665
                                                                                  SHA-256:0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
                                                                                  SHA-512:B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
                                                                                  Malicious:false
                                                                                  Preview: %PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.|....h..H.E...m.P\q.........d.r..fe.n....%..........*.y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(*&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$i*N._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP.*.. .Hu;u.f..?...)L......U.P.y..1|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3768184
                                                                                  Entropy (8bit):6.323324235457555
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
                                                                                  MD5:25DDBD309BB8094229704383977C7268
                                                                                  SHA1:1574D860469EE784034093199DC9533543E5C096
                                                                                  SHA-256:8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
                                                                                  SHA-512:16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
                                                                                  Malicious:true
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):349720
                                                                                  Entropy (8bit):6.600820777591867
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
                                                                                  MD5:F0AED1A32121A577594ECD66980C3ED3
                                                                                  SHA1:288954A8D6F48639B7605488D2796B14291507E5
                                                                                  SHA-256:D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
                                                                                  SHA-512:056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\3e96f3.msi
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                  Category:dropped
                                                                                  Size (bytes):2233856
                                                                                  Entropy (8bit):6.540847260876917
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
                                                                                  MD5:9AFC8137B547561655D454AFF862E567
                                                                                  SHA1:2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
                                                                                  SHA-256:86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
                                                                                  SHA-512:91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
                                                                                  Malicious:false
                                                                                  Preview: ......................>...................#...................................I.......v.......................................................................................................................|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                  C:\Windows\Installer\MSI9CCF.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402912
                                                                                  Entropy (8bit):6.383799484265228
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
                                                                                  MD5:3D24A2AF1FB93F9960A17D6394484802
                                                                                  SHA1:EE74A6CEEA0853C47E12802961A7A8869F7F0D69
                                                                                  SHA-256:8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
                                                                                  SHA-512:F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIA23E.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402912
                                                                                  Entropy (8bit):6.383799484265228
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
                                                                                  MD5:3D24A2AF1FB93F9960A17D6394484802
                                                                                  SHA1:EE74A6CEEA0853C47E12802961A7A8869F7F0D69
                                                                                  SHA-256:8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
                                                                                  SHA-512:F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIA368.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402912
                                                                                  Entropy (8bit):6.383799484265228
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
                                                                                  MD5:3D24A2AF1FB93F9960A17D6394484802
                                                                                  SHA1:EE74A6CEEA0853C47E12802961A7A8869F7F0D69
                                                                                  SHA-256:8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
                                                                                  SHA-512:F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIA463.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):887264
                                                                                  Entropy (8bit):6.436854443892135
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
                                                                                  MD5:0BE6E02D01013E6140E38571A4DA2545
                                                                                  SHA1:9149608D60CA5941010E33E01D4FDC7B6C791BEA
                                                                                  SHA-256:3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
                                                                                  SHA-512:F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIA5CB.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402912
                                                                                  Entropy (8bit):6.383799484265228
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
                                                                                  MD5:3D24A2AF1FB93F9960A17D6394484802
                                                                                  SHA1:EE74A6CEEA0853C47E12802961A7A8869F7F0D69
                                                                                  SHA-256:8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
                                                                                  SHA-512:F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIA6F5.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):587232
                                                                                  Entropy (8bit):6.421744382064001
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:qKrajAXKBGIpTOS7OmddoqaclGOh40JEh+DiYgZmD8x32id4PlV1uJTG:dajmU120q+Byd4V4TG
                                                                                  MD5:2A6C81882B2DB41F634B48416C8C8450
                                                                                  SHA1:F36F3A30A43D4B6EE4BE4EA3760587056428CAC6
                                                                                  SHA-256:245D57AFB74796E0A0B0A68D6A81BE407C7617EC6789840A50F080542DACE805
                                                                                  SHA-512:E9EF1154E856D45C5C37F08CF466A4B10DEE6CF71DA47DD740F2247A7EB8216524D5B37FF06BB2372C31F6B15C38101C19A1CF7185AF12A17083207208C6CCBD
                                                                                  Malicious:false
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PD.z>..z>..z>...=..z>...;.Xz>...:..z>...=..z>...:..z>...;..z>...8..z>...?..z>..z?..{>.K.7..z>.K.>..z>.K....z>..z...z>.K.<..z>.Rich.z>.................PE..L.....Ia.........."!.....T...........I.......p............................... ......).....@..........................r.......s..........h........................X......p...........................x...@............p.......p..@....................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data................n..............@....rsrc...h............|..............@..@.reloc...X.......Z..................@..B................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\MSIDECF.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):7110
                                                                                  Entropy (8bit):5.543883277518376
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:GUvgIVGUpQJuKqSJVmRiKWrvO2RZzibbiMMkzQetksKkBhIb:GUvgIIKQJuKqSJVmRiKWrvFRZzibbiMM
                                                                                  MD5:8B98AC6CB180A723BA52B66DE98DBB00
                                                                                  SHA1:F240F752D1906C927646942C76171B4BEB2FD66B
                                                                                  SHA-256:52DAE72056C096A15C030B72425A7AA2CE40B1EB5E93C6336EBDD1D288BD3654
                                                                                  SHA-512:59CBF88B3096B90790E7B1EDE78B01C3BAF61EA37E85CCA40506907929FC53CF2596E8F4BC932682B16BA490BAF7E02343A6ACABE8135F316A2A5CE2011ECDD4
                                                                                  Malicious:false
                                                                                  Preview: ...@IXOS.@.....@YnyS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}a.C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\.@.......@.....@.....@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}R.01:\Software\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Version.@.......@.....@.....@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}f.01:\Software\Caphyon\Advanced Installer\LZMA\{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}\3.4.0.2\AI_ExePath.@.......@.....@.....@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}p.C:\Users\user\AppD
                                                                                  C:\Windows\Installer\SourceHash{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.847457778563187
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:0rgT6DElt40l79ne//nTebf8GLx63my22yE7aN9l:0Pi4279e//GUGLxAPsEON9
                                                                                  MD5:EC9297E1D1B30FD062C3D13EC6FAE024
                                                                                  SHA1:B76ED0A7D03642896231301DEB05E66C3EA379C2
                                                                                  SHA-256:87D8368D2560FDF65964732CAC93534A714C78E131E8195671C07356E46333ED
                                                                                  SHA-512:F68EC8E4498CAA022BAEE9D60E699FE065EC043FB5E2B1CCCAC4213E3778D1C24B0E02C7D100865F048110C1B9BAB75877581F31E881729A6E2F5D9E15A0FE17
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7748956870858386
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
                                                                                  MD5:9A3C4924DCD6AFF398A879B0B2FEE47B
                                                                                  SHA1:6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
                                                                                  SHA-256:2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
                                                                                  SHA-512:9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):174137
                                                                                  Entropy (8bit):5.355131335414791
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:2JcfxyJbOd+nInu0SXmV9UmtiBMwM5CSXKqqQMxlqNYL/AxVDTAMOfbDj/nCwpTA:2JcI4n9Umtipi5QctdL
                                                                                  MD5:4A462112D12416AC50BBC02C2B36FD38
                                                                                  SHA1:B7E892E195C31991A0D018587CEB1B3DB3909B1A
                                                                                  SHA-256:E2011163D0DCD32141BB6DA4881354953197BD0EBC3533B6F882B1B4084E684D
                                                                                  SHA-512:FFA25783EF36C6673A82012D2310F9821195854C0A07C616FB23B2E039E3CC1B91DB9DFCC45357661B375CED5DE58A6A3C147BE174E005837D719FB9ACA85C00
                                                                                  Malicious:false
                                                                                  Preview: .To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 11:01:23.494 [4132]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.494 [4132]: ngen returning 0x00000000..07/23/2020 11:01:23.541 [2300]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.557 [2300]: ngen returning 0x00000000..07/23/2020 11:01:23.603 [5144]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3
                                                                                  C:\Windows\Temp\~DF10CCF93C50CD522A.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4065531844948
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
                                                                                  MD5:B83D4AD57B22D6C840CABAF481DF7B69
                                                                                  SHA1:FD3A9D0C806D2DE3E775158B3260F2757769271F
                                                                                  SHA-256:E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
                                                                                  SHA-512:F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF1B68F00AAEC82988.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF3E7A433E0C409AFC.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7748956870858386
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
                                                                                  MD5:9A3C4924DCD6AFF398A879B0B2FEE47B
                                                                                  SHA1:6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
                                                                                  SHA-256:2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
                                                                                  SHA-512:9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF46C604FEF4F449F2.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7748956870858386
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
                                                                                  MD5:9A3C4924DCD6AFF398A879B0B2FEE47B
                                                                                  SHA1:6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
                                                                                  SHA-256:2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
                                                                                  SHA-512:9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF55CEC612D7410AC0.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):73728
                                                                                  Entropy (8bit):0.21722949201266403
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:1PDYETSN/CS+N//N/WML4WS+N/F48AE+lCyTYFDVfM8AAN/:JYzkrtb1rXsZlCMYwjA
                                                                                  MD5:47C8CE31C5FD1A6F95E8227E33DC01CA
                                                                                  SHA1:C2F4C22CF36C8046573FDDFC8F6917DF58F17660
                                                                                  SHA-256:2A10145F68A6B37A9DB43623B1D40F5F467A17D685FD6D7BC75D0531FBD3AAA2
                                                                                  SHA-512:D6C1098782C67F723F09A44D1BA15D3EC613202F896BAE7AAD496E464E6289230896540CBD1E543604C1EB324DB9B7CE97988DD9D90F33421A5FE2692C7B44A3
                                                                                  Malicious:false
                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF761133D2E041DEFE.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.5618868915910008
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:d9lsaml6DElt40l79ne//nTebf8GLx63my22yE7:d9aaPi4279e//GUGLxAPsE
                                                                                  MD5:619F55E8D28CF4BC286BB7BE49918993
                                                                                  SHA1:A3CCAA9D38D12C041A3E42450DA4B1AC00A4E518
                                                                                  SHA-256:9F2482C4E402EAC636ED64BF09BA117483F462D67791CEA785F3F3F157CF05D5
                                                                                  SHA-512:C733F3355F8741D7E629516A2380283B6E7ED8DC4038B3F25101D38BF4F65E8DF377FDA6EF4E163250C53B94F7FA4941B5B8189A3061D02685508821F80CA782
                                                                                  Malicious:false
                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF776763C8FB17AE54.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4065531844948
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
                                                                                  MD5:B83D4AD57B22D6C840CABAF481DF7B69
                                                                                  SHA1:FD3A9D0C806D2DE3E775158B3260F2757769271F
                                                                                  SHA-256:E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
                                                                                  SHA-512:F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF91038100F0FB06FB.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DF94144FA3D8D2F215.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4065531844948
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
                                                                                  MD5:B83D4AD57B22D6C840CABAF481DF7B69
                                                                                  SHA1:FD3A9D0C806D2DE3E775158B3260F2757769271F
                                                                                  SHA-256:E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
                                                                                  SHA-512:F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
                                                                                  Malicious:false
                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DFBABDC1C846730072.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DFCB1E467AADEF7E4C.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\Temp\~DFECF05E5DA56163B3.TMP
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.710859774528812
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:jXzrIReInY.exe
                                                                                  File size:7840296
                                                                                  MD5:4ec77eb8280485764b6bc22f6cf7d57e
                                                                                  SHA1:85215638743eeb6800aaada5d057e96032db6906
                                                                                  SHA256:716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
                                                                                  SHA512:770b14b133ac0a7bfee3a973d43a5342cd021a731f1be4d557a332aa4945dbb9be6b25909291feeb766c3fd640ff943780d4172e2fe6f6c77a128585e7914954
                                                                                  SSDEEP:196608:cL6ocnTAcca9KJi4G+eiPUei/L6StB1o4lLMjgfIg/rNv+J3e:G6JnTAcca9KJi4teSq/WSb6aagfTTie
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............K...K...K...J...K...JX..K...J...K...J...K...J...K...J...K...J...K...J...K...J...K...K ..KX..J...KX.oK...K...K...KX..J...

                                                                                  File Icon

                                                                                  Icon Hash:f0c49c70f99cc4f0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x52c471
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x6149D0A9 [Tue Sep 21 12:31:37 2021 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:0748c08f838865e5d72743f7fd7e551e

                                                                                  Authenticode Signature

                                                                                  Signature Valid:
                                                                                  Signature Issuer:
                                                                                  Signature Validation Error:
                                                                                  Error Number:
                                                                                  Not Before, Not After
                                                                                    Subject Chain
                                                                                      Version:
                                                                                      Thumbprint MD5:
                                                                                      Thumbprint SHA-1:
                                                                                      Thumbprint SHA-256:
                                                                                      Serial:

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007F3710A745C1h
                                                                                      jmp 00007F3710A73DCFh
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      push ecx
                                                                                      lea ecx, dword ptr [esp+08h]
                                                                                      sub ecx, eax
                                                                                      and ecx, 0Fh
                                                                                      add eax, ecx
                                                                                      sbb ecx, ecx
                                                                                      or eax, ecx
                                                                                      pop ecx
                                                                                      jmp 00007F3710A746AFh
                                                                                      push ecx
                                                                                      lea ecx, dword ptr [esp+08h]
                                                                                      sub ecx, eax
                                                                                      and ecx, 07h
                                                                                      add eax, ecx
                                                                                      sbb ecx, ecx
                                                                                      or eax, ecx
                                                                                      pop ecx
                                                                                      jmp 00007F3710A74699h
                                                                                      mov ecx, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                      pop ecx
                                                                                      pop edi
                                                                                      pop edi
                                                                                      pop esi
                                                                                      pop ebx
                                                                                      mov esp, ebp
                                                                                      pop ebp
                                                                                      push ecx
                                                                                      ret
                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                      xor ecx, ebp
                                                                                      call 00007F3710A733F2h
                                                                                      jmp 00007F3710A73F32h
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [005E6024h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [005E6024h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      mov dword ptr [ebp-10h], eax
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e468c0x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ed0000x38ea0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x777b880x2660
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2260000x19c0c.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1aab680x70.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x1aac000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x186e680x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1850000x2c0.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1e1d280x260.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x183b2f0x183c00False0.450583796744data6.42629991801IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x1850000x606840x60800False0.325258561367data4.58910819653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x1e60000x6e780x5600False0.130405159884data2.02713431011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x1ed0000x38ea00x39000False0.239840323465data5.41863510681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x2260000x19c0c0x19e00False0.504642210145data6.56301368687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      IMAGE_FILE0x1edae80x6ISO-8859 text, with no line terminatorsEnglishUnited States
                                                                                      IMAGE_FILE0x1edaf00x6ISO-8859 text, with no line terminatorsEnglishUnited States
                                                                                      RTF_FILE0x1edaf80x2e9Rich Text Format data, version 1, ANSIEnglishUnited States
                                                                                      RTF_FILE0x1edde40xa1Rich Text Format data, version 1, ANSIEnglishUnited States
                                                                                      RT_BITMAP0x1ede880x13edataEnglishUnited States
                                                                                      RT_BITMAP0x1edfc80x828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                      RT_BITMAP0x1ee7f00x48a8dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                      RT_BITMAP0x1f30980xa6adataEnglishUnited States
                                                                                      RT_BITMAP0x1f3b040x152dataEnglishUnited States
                                                                                      RT_BITMAP0x1f3c580x828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                      RT_ICON0x1f44800x4513PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                      RT_ICON0x1f89940x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                      RT_ICON0x2091bc0x94a8dataEnglishUnited States
                                                                                      RT_ICON0x2126640x5488dataEnglishUnited States
                                                                                      RT_ICON0x217aec0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848EnglishUnited States
                                                                                      RT_ICON0x21bd140x25a8dataEnglishUnited States
                                                                                      RT_ICON0x21e2bc0x10a8dataEnglishUnited States
                                                                                      RT_ICON0x21f3640x988dataEnglishUnited States
                                                                                      RT_ICON0x21fcec0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                      RT_MENU0x2201540x5cdataEnglishUnited States
                                                                                      RT_MENU0x2201b00x2adataEnglishUnited States
                                                                                      RT_DIALOG0x2201dc0xacdataEnglishUnited States
                                                                                      RT_DIALOG0x2202880x2a6dataEnglishUnited States
                                                                                      RT_DIALOG0x2205300x3b4dataEnglishUnited States
                                                                                      RT_DIALOG0x2208e40xbcdataEnglishUnited States
                                                                                      RT_DIALOG0x2209a00x204dataEnglishUnited States
                                                                                      RT_DIALOG0x220ba40x282dataEnglishUnited States
                                                                                      RT_DIALOG0x220e280xccdataEnglishUnited States
                                                                                      RT_DIALOG0x220ef40x146dataEnglishUnited States
                                                                                      RT_DIALOG0x22103c0x226dataEnglishUnited States
                                                                                      RT_DIALOG0x2212640x388dataEnglishUnited States
                                                                                      RT_DIALOG0x2215ec0x1b4dataEnglishUnited States
                                                                                      RT_DIALOG0x2217a00x136dataEnglishUnited States
                                                                                      RT_DIALOG0x2218d80x4cdataEnglishUnited States
                                                                                      RT_STRING0x2219240x45cdataEnglishUnited States
                                                                                      RT_STRING0x221d800x344dataEnglishUnited States
                                                                                      RT_STRING0x2220c40x2f8dataEnglishUnited States
                                                                                      RT_STRING0x2223bc0x598dataEnglishUnited States
                                                                                      RT_STRING0x2229540x3aadataEnglishUnited States
                                                                                      RT_STRING0x222d000x5c0dataEnglishUnited States
                                                                                      RT_STRING0x2232c00x568dataEnglishUnited States
                                                                                      RT_STRING0x2238280x164dataEnglishUnited States
                                                                                      RT_STRING0x22398c0x520dataEnglishUnited States
                                                                                      RT_STRING0x223eac0x1a0dataEnglishUnited States
                                                                                      RT_STRING0x22404c0x18adataEnglishUnited States
                                                                                      RT_STRING0x2241d80x216dataEnglishUnited States
                                                                                      RT_STRING0x2243f00x624dataEnglishUnited States
                                                                                      RT_STRING0x224a140x660dataEnglishUnited States
                                                                                      RT_STRING0x2250740x2a8dataEnglishUnited States
                                                                                      RT_GROUP_ICON0x22531c0x84dataEnglishUnited States
                                                                                      RT_VERSION0x2253a00x384dataEnglishUnited States
                                                                                      RT_MANIFEST0x2257240x77bXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, WaitForSingleObject, CreateThread, GetProcAddress, LoadLibraryExW, DecodePointer, Sleep, GetDiskFreeSpaceExW, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, FormatMessageW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, IsDebuggerPresent, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, QueryPerformanceCounter, QueryPerformanceFrequency, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyrightCopyright (C) 2021 JDesktop Integration Components (JDIC) Project
                                                                                      InternalNameplcd-player
                                                                                      FileVersion3.4.0.2
                                                                                      CompanyNameJDesktop Integration Components (JDIC) Project
                                                                                      ProductNameJDesktop Tools
                                                                                      ProductVersion3.4.0.2
                                                                                      FileDescriptionJDesktop Tools Installer
                                                                                      OriginalFileNameplcd-player.exe
                                                                                      Translation0x0409 0x04b0

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 25, 2021 13:51:32.522811890 CET5078153192.168.2.78.8.8.8
                                                                                      Nov 25, 2021 13:51:32.603698969 CET53507818.8.8.8192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Nov 25, 2021 13:51:32.522811890 CET192.168.2.78.8.8.80x41f2Standard query (0)get.updates.avast.cnA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Nov 25, 2021 13:51:04.875520945 CET8.8.8.8192.168.2.70x9886No error (0)windowsupdate.s.llnwi.net178.79.225.128A (IP address)IN (0x0001)
                                                                                      Nov 25, 2021 13:51:04.875520945 CET8.8.8.8192.168.2.70x9886No error (0)windowsupdate.s.llnwi.net95.140.230.128A (IP address)IN (0x0001)
                                                                                      Nov 25, 2021 13:51:04.969217062 CET8.8.8.8192.168.2.70x5864No error (0)windowsupdate.s.llnwi.net95.140.230.128A (IP address)IN (0x0001)
                                                                                      Nov 25, 2021 13:51:04.969217062 CET8.8.8.8192.168.2.70x5864No error (0)windowsupdate.s.llnwi.net178.79.225.0A (IP address)IN (0x0001)
                                                                                      Nov 25, 2021 13:51:32.603698969 CET8.8.8.8192.168.2.70x41f2Name error (3)get.updates.avast.cnnonenoneA (IP address)IN (0x0001)

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:13:50:21
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Users\user\Desktop\jXzrIReInY.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\jXzrIReInY.exe"
                                                                                      Imagebase:0x2b0000
                                                                                      File size:7840296 bytes
                                                                                      MD5 hash:4EC77EB8280485764B6BC22F6CF7D57E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low

                                                                                      General

                                                                                      Start time:13:50:27
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                      Imagebase:0x7ff73a390000
                                                                                      File size:66048 bytes
                                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:13:50:28
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
                                                                                      Imagebase:0xef0000
                                                                                      File size:59904 bytes
                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:13:50:29
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
                                                                                      Imagebase:0xef0000
                                                                                      File size:59904 bytes
                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:13:50:33
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
                                                                                      Imagebase:0xef0000
                                                                                      File size:59904 bytes
                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:13:51:00
                                                                                      Start date:25/11/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
                                                                                      Imagebase:0x1a0000
                                                                                      File size:3768184 bytes
                                                                                      MD5 hash:25DDBD309BB8094229704383977C7268
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >