Windows Analysis Report 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe

Overview

General Information

Sample Name: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Analysis ID: 534003
MD5: 8b7b82eb83d4a6760ecf8e9398ffda64
SHA1: e827272cd42a9030741f4acb6004a97f6e13ba40
SHA256: 912534a5380738d96e8ddb7873ecb004667d72d5df783cabce2e398c11b14912
Tags: exeGCleaner
Infos:

Most interesting Screenshot:
Errors
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
  • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
  • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

RedLine Socelars Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara Genericmalware
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Yara detected Socelars
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Maps a DLL or memory area into another process
Sigma detected: Suspicious Script Execution From Temp Folder
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Creates HTML files with .exe extension (expired dropper behavior)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Obfuscated command line found
PE file has nameless sections
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Launches processes in debugging mode, may be used to hinder debugging
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)

Classification

AV Detection:

barindex
Yara Genericmalware
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340ada6.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.311875939.00007FF7B9D96000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://amzrouting.com/amz.exe/$ Avira URL Cloud: Label: malware
Source: http://hsiens.xyz/ URL Reputation: Label: malware
Source: http://194.145.227.161/dlc/sharing.php?pub=mixone Avira URL Cloud: Label: malware
Source: http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname Avira URL Cloud: Label: phishing
Source: http://www.bqmqx.com/askhelp59/askinstall59.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe Avira: detection malicious, Label: HEUR/AGEN.1142105
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Avira: detection malicious, Label: TR/AD.Chapak.njyhm
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06434adde6c2.exe Avira: detection malicious, Label: TR/Kryptik.jpozl
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Avira: detection malicious, Label: TR/Crypt.Agent.wfnia
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe Avira: detection malicious, Label: TR/Agent.sdnqs
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe Avira: detection malicious, Label: HEUR/AGEN.1144479
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06be060a7cb426cf.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe Avira: detection malicious, Label: HEUR/AGEN.1124060
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp Avira: detection malicious, Label: TR/Agent.dttsn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BF1[1].exe Avira: detection malicious, Label: HEUR/AGEN.1142105
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Avira: detection malicious, Label: TR/Crypt.XPACK.zbssu
Multi AV Scanner detection for submitted file
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Virustotal: Detection: 61% Perma Link
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp Metadefender: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe Metadefender: Detection: 40% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Setup12[1].exe ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall42[1].exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall59[1].exe Metadefender: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall59[1].exe ReversingLabs: Detection: 96%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\install4[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file1[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udp[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\xxxx[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\toolspab2[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\comprehensive1[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06be060a7cb426cf.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\file3[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\amz[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Setup12[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 22.3.Mon0630c6f1115ad5.exe.8d68420.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8b08a60.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8ceee40.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.3a4ade0.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8d68420.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8b47e60.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.3a7d280.83.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c6af40.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8eb3e20.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.3a7d280.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8ceee40.84.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c5e6a0.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.Mon06885bbdb13fec3.exe.550000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8ceee40.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c54f30.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c79f60.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.3a7d280.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8ceee40.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.3a7d280.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8b47e60.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c5e6a0.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.Mon06f9c53ffae25af61.exe.400000.0.unpack Avira: Label: TR/Crypt.Agent.dzwmm
Source: 22.3.Mon0630c6f1115ad5.exe.8bdfd00.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.Mon06885bbdb13fec3.exe.550000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8eb3e20.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8eb3e20.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c6af40.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c79f60.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.Mon0630c6f1115ad5.exe.8c12760.6.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.462459069.00000000089D1000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.468369171.0000000008A1B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.460981425.0000000003A7E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.476212579.0000000008A68000.00000004.00000001.sdmp
Source: Binary string: libdwarf.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000000.297778513.0000000000897000.00000002.00020000.sdmp
Source: Binary string: C:\cugavek\3_f.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286369517.000000000333B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362017492.0000000003414000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.300443282.000000000041D000.00000002.00020000.sdmp
Source: Binary string: C:\misugi-jekotibisagujo\dipaka canumiyud.pdblvBlGB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06f9c53ffae25af61.exe, 00000012.00000000.295808745.000000000041D000.00000002.00020000.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.359231693.0000000003414000.00000004.00000001.sdmp
Source: Binary string: F:\facebook_svn\trunk\database\Release\DiskScan.pdbM source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: WerFault.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.367210520.000000000341B000.00000004.00000001.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: C:\misugi-jekotibisagujo\dipaka canumiyud.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06f9c53ffae25af61.exe, 00000012.00000000.295808745.000000000041D000.00000002.00020000.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.359231693.0000000003414000.00000004.00000001.sdmp
Source: Binary string: libdwarf.pdbY source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000000.297778513.0000000000897000.00000002.00020000.sdmp
Source: Binary string: cmd.pdbUGP source: Mon0630c6f1115ad5.exe, 00000016.00000003.363840177.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.358894674.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.361646952.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.357419446.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.365882994.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364695500.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362908244.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.360851718.0000000003414000.00000004.00000001.sdmp
Source: Binary string: F:\facebook_svn\trunk\database\Release\DiskScan.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp
Source: Binary string: D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp
Source: Binary string: C:\lopex-zaribapu.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp
Source: Binary string: \MOn[C:\cugavek\3_f.pdblvBlGB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286369517.000000000333B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362017492.0000000003414000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.300443282.000000000041D000.00000002.00020000.sdmp
Source: Binary string: cmd.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.363840177.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.358894674.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.361646952.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.357419446.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.365882994.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364695500.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362908244.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.360851718.0000000003414000.00000004.00000001.sdmp
Source: Binary string: costura.costura.dll.compressed|5.3.0.0|Costura, Version=5.3.0.0, Culture=neutral, PublicKeyToken=null|Costura.dll|790691B8E17BE618ABE2C596B93EB925FC4C1142|4608 costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 costura source: Mon06dc62fb7183b9e.exe
Source: Binary string: WerFault.pdbGCTL source: Mon0630c6f1115ad5.exe, 00000016.00000003.367210520.000000000341B000.00000004.00000001.sdmp
Source: Binary string: C:\lopex-zaribapu.pdblvB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurl.dll Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurlpp.dll Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00404B47 FindFirstFileW, 0_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00404640 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,GetUserNameA, 26_2_00404640
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004268FD FindFirstFileExW, 26_2_004268FD
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00554890 FindFirstFileA,FindClose,__Init_thread_footer,GetUserNameA,__Init_thread_footer,__Init_thread_footer,GetWindowTextA,Sleep,GetWindowTextA, 26_2_00554890
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_005528B0 __cftof,FindFirstFileExW,FindFirstFileExW,FindFirstFileExW,SetFilePointerEx,InternetOpenA,InternetSetOptionA,RtlReAllocateHeap,GetTimeZoneInformation,InternetConnectA,HttpOpenRequestA,HttpSendRequestA, 26_2_005528B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00576B4D FindFirstFileExW, 26_2_00576B4D

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_00499920
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040E010
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_00410190
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_00410230
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push edi 8_2_004622B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push ebx 8_2_004622B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub esp, 1Ch 8_2_004924B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_004105B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push edi 8_2_0042A740
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub esp, 1Ch 8_2_00426A83
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040EEE0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push ebp 8_2_00446E80
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040EF70
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F059
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F001
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push ebp 8_2_004210D0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F0E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F143
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F15C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F119
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F180
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F210
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F2E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F290
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F340
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F315
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub edx, 01h 8_2_0041D380
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub esp, 1Ch 8_2_0041D3A0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_0042B430
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub esp, 1Ch 8_2_0041D561
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F510
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F5B9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F77C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_004117E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F7F0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0041179C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F930
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then mov eax, dword ptr [ecx] 8_2_00421980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040F9A0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040FBA0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040FD79
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040FD20
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then push edi 8_2_00421EF0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then jmp 004014E0h 8_2_0040DE90
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 4x nop then sub edx, 01h 8_2_0041D380

Networking:

barindex
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: i9v9KeSPU8TebYFmPJaLjDAO.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: _I840nW0W0BkPi0VRC8fXhgb.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: xA0WuHkNhYwpKVNtLY3CaqeU.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: Zq6kcg5lJKuuEaFuudf7gjaI.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: 7ciFxtIpptvH3EmimVuzKQBx.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: Tm0qqnTEi1cYOqiY563QdqH0.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: r9bfArOAMkG37pKilxWRU07h.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: XgI7PQbAfdnaXrmuKlSbD1tN.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: BFuUkLJxjHnJ56WPRhHz3ign.exe.22.dr
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: rdIcksBC3fOhxUKidyQmX7w8.exe.22.dr
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://185.215.113.208/ferrari.exenstall59.exey
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://185.46.11.66/setup_525403.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://185.46.11.66/setup_525403.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://185.46.11.66/setup_525403.exeZ
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://185.46.11.66/setup_525403.exee
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://185.46.11.66/setup_525403.exexee
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466788046.0000000003467000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://193.56.146.76/Udp.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://193.56.146.76/Udp.exe#%
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://193.56.146.76/Udp.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://193.56.146.76/Udp.exev%
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769539530.0000000000866000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769498880.0000000000838000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/45.227.161/dlc/sharing.php?pub=mixone
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769539530.0000000000866000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixone
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixone$
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.762192003.00000000007BA000.00000004.00000020.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixone-HV3up
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769539530.0000000000866000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixone3
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.762192003.00000000007BA000.00000004.00000020.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixoneTIFIER=Intel64
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixoneZ
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixoneb
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769539530.0000000000866000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixonene
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.762192003.00000000007BA000.00000004.00000020.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixonerogramDataAPPDATA=C:
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769468073.000000000082C000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.161/dlc/sharing.php?pub=mixone~
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://2.56.59.42/
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/&
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/WW/search21.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://2.56.59.42/WW/search21.exeinstall59.exe~
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://2.56.59.42/base/api/getData.php
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://2.56.59.42/base/api/getData.phpdd
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://2.56.59.42/f
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exeK
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exei
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file1.exem
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file2.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exe8
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file3.exem
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exe/j
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exea
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exen
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exet
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file4.exez
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file5.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file5.exe7
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file5.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file5.exeO
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file5.exeS#u
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file6.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file6.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file6.exeK
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file7.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file7.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file7.exeY#
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file8.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file8.exe$
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file8.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/WW/file8.exeice.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/WW/file8.exew
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.490465547.00000000038F1000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmpD
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmpDtk%
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmpFk
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://212.193.30.29/download/Service.bmpK
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp String found in binary or memory: http://activityhike.com/files/matthew14.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://amzrouting.com/amz.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.495479783.00000000039A9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.496080830.00000000039A9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474151538.00000000039A8000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465889140.00000000039A8000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491418519.00000000039AA000.00000004.00000010.sdmp String found in binary or memory: http://amzrouting.com/amz.exe&
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://amzrouting.com/amz.exe/$
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://amzrouting.com/amz.exeB
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://amzrouting.com/amz.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: http://amzrouting.com/amz.exeK$
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.495479783.00000000039A9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.496080830.00000000039A9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474151538.00000000039A8000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465889140.00000000039A8000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491418519.00000000039AA000.00000004.00000010.sdmp String found in binary or memory: http://amzrouting.com/amz.exew
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.490465547.00000000038F1000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://artguide.top/foradvertisingwwb.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://artguide.top/foradvertisingwwb.exe.j
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://artguide.top/foradvertisingwwb.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://artguide.top/foradvertisingwwb.exeLj
Source: Mon067df200a8fd43b.exe, 0000001A.00000000.324698994.00000000007BA000.00000004.00000020.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.329295507.00000000007BA000.00000004.00000020.sdmp String found in binary or memory: http://cleaner-partners.biz/stats/1.php?pub=/mixone
Source: Mon067df200a8fd43b.exe, 0000001A.00000000.324698994.00000000007BA000.00000004.00000020.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.329295507.00000000007BA000.00000004.00000020.sdmp String found in binary or memory: http://cleaner-partners.biz/stats/1.php?pub=/mixonet
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769498880.0000000000838000.00000004.00000001.sdmp String found in binary or memory: http://cleaner-partners.biz/stats/save.php?pub=mixone&reason=0
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Mon06cebe79e9a244.exe, 00000018.00000002.338850078.000000001C00D000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.336115554.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.320759663.0000015F73AC2000.00000004.00000001.sdmp String found in binary or memory: http://en.w$
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://hb888.luminati-china.net/AordVPNWZ3202111221117.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://hb888.luminati-china.net/AordVPNWZ3202111221117.exee
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286700487.000000000378A000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000002.388421948.00000000004A2000.00000002.00020000.sdmp, setup_install.exe, 00000008.00000002.396310963.00000000027B4000.00000004.00000001.sdmp String found in binary or memory: http://hsiens.xyz/
Source: setup_install.exe, 00000008.00000002.396310963.00000000027B4000.00000004.00000001.sdmp String found in binary or memory: http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149
Source: setup_install.exe, 00000008.00000000.318464197.00000000027BA000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000002.396412681.00000000027BA000.00000004.00000001.sdmp String found in binary or memory: http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname
Source: setup_install.exe, 00000008.00000002.396310963.00000000027B4000.00000004.00000001.sdmp String found in binary or memory: http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=149
Source: setup_install.exe, 00000008.00000002.396310963.00000000027B4000.00000004.00000001.sdmp String found in binary or memory: http://hsiens.xyz/myip.php
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286700487.000000000378A000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000002.388421948.00000000004A2000.00000002.00020000.sdmp String found in binary or memory: http://hsiens.xyz/myip.phpaddInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149addInstallImpression
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: http://imgs.googlwaa.com/
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: http://iplogger.org
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://jooriz.xyz/loaqf/opqfj/comprehensive1.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://jooriz.xyz/loaqf/opqfj/comprehensive1.exeb
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://jooriz.xyz/loaqf/opqfj/comprehensive1.exee
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000000.329274659.0000000064957000.00000008.00020000.sdmp String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://ngdatas.pw/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://piratenhits.fm/luna1.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://piratenhits.fm/luna1.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://piratenhits.fm/luna1.exew
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.491418519.00000000039AA000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: http://privacy-tools-for-you-777.com/downloads/toolspab2.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://privacy-tools-for-you-777.com/downloads/toolspab2.exeC:
Source: Mon06cebe79e9a244.exe, 00000018.00000002.334772898.0000000002D8B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: http://staticimg.youtuuee.com/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: http://staticimg.youtuuee.com/0sizeof0http://staticimg.youtuuee.com/loadhttp://staticimg.youtuuee.co
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/rtst1047.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/rtst1047.exe1
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/rtst1047.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exeel
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://unicupload.top/install4.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://unicupload.top/install4.exe0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://unicupload.top/install4.exe9
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://unicupload.top/install4.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://unicupload.top/install4.exeexed.exeew
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://unistop.xyz/files/hiddis_setup_add.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp String found in binary or memory: http://unistop.xyz/files/hiddis_setup_add.exe=T4
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://unistop.xyz/files/hiddis_setup_add.exeU0
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.362761661.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.353731551.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.360341669.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.355337382.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.359874220.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.357613136.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.354901807.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.354408861.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.354603609.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: http://www.bqmqx.com/askhelp59/askinstall59.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://www.bqmqx.com/askhelp59/askinstall59.exe=
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.bqmqx.com/askhelp59/askinstall59.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.bqmqx.com/askhelp59/askinstall59.exee
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://www.bqmqx.com/askhelp59/askinstall59.exes1
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.bqmqx.com/askinstall59.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.bqmqx.com/askinstall59.exeh
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.bqmqx.com/askinstall59.exete
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.334786286.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.334786286.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comF_
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.370100242.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.370100242.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com_
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.370100242.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comque_
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.329887871.0000015F73AC3000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329607633.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329546897.0000015F73AC3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn_
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.329887871.0000015F73AC3000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329607633.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329546897.0000015F73AC3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnomCKnyu
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.329887871.0000015F73AC3000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329607633.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.329546897.0000015F73AC3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnto
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.328237314.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krkrl_
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.iyiqian.com/
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.341500992.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.339044404.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.341500992.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//ywa
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.341500992.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.339044404.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/F_
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.341500992.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/iv
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.341500992.0000015F73AC5000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000003.339044404.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.339044404.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/va
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286398639.000000000338E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491910284.0000000008BE0000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.480065435.0000000008BE0000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.477183574.00000000089D1000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.504367222.00000000066B0000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.479191330.0000000008AD9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.476212579.0000000008A68000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286398639.000000000338E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491910284.0000000008BE0000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.480065435.0000000008BE0000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.477183574.00000000089D1000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.504367222.00000000066B0000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.479191330.0000000008AD9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.476212579.0000000008A68000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.322401186.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.351190227.0000015F73ACB000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.328237314.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.328237314.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr(Q
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491146778.0000000003977000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.495907459.0000000003977000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.495070362.0000000003977000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467229203.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://www.sauceremix.com/askhelp42/askinstall42.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: http://www.sauceremix.com/askhelp42/askinstall42.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: http://www.sauceremix.com/askhelp42/askinstall42.exeu0Y
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466975935.000000000347D000.00000004.00000001.sdmp String found in binary or memory: http://www.sauceremix.com/askinstall42.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.uefhkice.xyz/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.xxhufdc.top/
Source: Mon06dc62fb7183b9e.exe, 00000010.00000003.334786286.0000015F73AC5000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.znsjis.top
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: http://www.znsjis.top/Home/Index/getdata
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.496054752.000000000399E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491332009.000000000399E000.00000004.00000010.sdmp String found in binary or memory: https://aui-cdn.atlassian.com
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.491418519.00000000039AA000.00000004.00000010.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491332009.000000000399E000.00000004.00000010.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c982a1a8-fefb-4007-a9ed-bf0a777acf12/downloads/3727eea1-0103-
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535304897.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530084134.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.465548105.00000000034F2000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.535063167.00000000034E5000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525218061.00000000034E5000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/Yz
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475269322.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529476536.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467229203.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483097390.0000000003A21000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/pavelalekseev10286/v1/downloads/xxxx.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/pavelalekseev10286/v1/downloads/xxxx.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org:80/pavelalekseev10286/v1/downloads/xxxx.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org:80/pavelalekseev10286/v1/downloads/xxxx.exe:
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769353194.000000000081D000.00000004.00000001.sdmp String found in binary or memory: https://c.goatgameh.co/dlc/sharing.php?pub=mixone
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.357567657.0000000003403000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364906010.0000000003408000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.354885929.0000000003403000.00000004.00000001.sdmp String found in binary or memory: https://c.info.io/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, Mon06885bbdb13fec3.exe, Mon06885bbdb13fec3.exe, 0000000E.00000002.805053405.0000000002801000.00000004.00000001.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000000.293872911.0000000000552000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/873244194234318850/889215117412171826/pctool.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/886962207051640872/889069324206215208/1C0C7D25.jpg
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exe(
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exeP
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exeh
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/905701898806493199/915522670873944114/Setup12.exep
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491146778.0000000003977000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/915310820416716862/sfx_123_310.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/915310820416716862/sfx_123_310.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/915310820416716862/sfx_123_310.bmpm
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.357567657.0000000003403000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364906010.0000000003408000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.354885929.0000000003403000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/915859306728026132/PL_Client.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916211723546009650/help0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916211723546009650/help0301.bmp0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916211723546009650/help0301.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916211723546009650/help0301.bmpp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916341616422322236/HwL0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916341616422322236/HwL0301.bmpARU?
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916341616422322236/HwL0301.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916341616422322236/HwL0301.bmpmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916341616422322236/HwL0301.bmpntSourcf
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.525571198.0000000008C8A000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916356408235159641/lance.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916356408235159641/lance.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.525571198.0000000008C8A000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916356408235159641/lance.bmpc
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916386354827497512/filinnn0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916386354827497512/filinnn0301.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916386354827497512/filinnn0301.bmpernk
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529476536.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916387844342284388/ruzki.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916387844342284388/ruzki.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529476536.000000000342E000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916387844342284388/ruzki.bmpQ
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529476536.000000000342E000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916387844342284388/ruzki.bmpo
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916435485650456576/app0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916435485650456576/app0301.bmpX
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916580866153664522/mill.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916580866153664522/mill.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916612332497563718/Topov0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916612332497563718/Topov0401.bmpK
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916612332497563718/Topov0401.bmpc
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916612332497563718/Topov0401.bmpp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.484334610.0000000003ACF000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681000476626984/SoftPInstaller0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681000476626984/SoftPInstaller0401.bmpF
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681000476626984/SoftPInstaller0401.bmpd
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681821687775312/under0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681821687775312/under0401.bmp3
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681821687775312/under0401.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681821687775312/under0401.bmpS
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916681821687775312/under0401.bmpV
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916699585185984542/7e248_0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916699585185984542/7e248_0401.bmp(
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916699585185984542/7e248_0401.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916699585185984542/7e248_0401.bmpE
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916699585185984542/7e248_0401.bmpp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916754844734337064/design0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916754844734337064/design0401.bmp=R4
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916754844734337064/design0401.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916754844734337064/design0401.bmpmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916754844734337064/design0401.bmps
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.524476080.0000000003AC9000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916756102165704704/install_new0402.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529073800.0000000003A7E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524476080.0000000003AC9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916756102165704704/install_new0402.bmp:3
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916756102165704704/install_new0402.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790043174125589/real0403.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790043174125589/real0403.bmp;
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790043174125589/real0403.bmpC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790043174125589/real0403.bmpH
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790682084057128/1234_0402.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790682084057128/1234_0402.bmpCreat
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/916790682084057128/1234_0402.bmpR
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/915539163787460658/915542724923502643/Uponrun.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/915539163787460658/915542724923502643/Uponrun.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/915539163787460658/915542724923502643/Uponrun.exeH
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529542800.0000000003442000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/915539163787460658/915542724923502643/Uponrun.exeo
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/915539163787460658/915542724923502643/Uponrun.exep
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490465547.00000000038F1000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/905701898806493199/915522670873944114/Setup12.exe?V=
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/915310820416716862/sfx_123_310.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916341616422322236/HwL0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916341616422322236/HwL0301.bmp)
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916341616422322236/HwL0301.bmpZ1
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916341616422322236/HwL0301.bmps
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916356408235159641/lance.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916356408235159641/lance.bmpx
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916386354827497512/filinnn0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916387844342284388/ruzki.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916387844342284388/ruzki.bmppn1
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916435485650456576/app0301.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916435485650456576/app0301.bmp=R4
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916580866153664522/mill.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916580866153664522/mill.bmp8
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916612332497563718/Topov0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916612332497563718/Topov0401.bmp:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916681000476626984/SoftPInstaller0401.b
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916681821687775312/under0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916699585185984542/7e248_0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916699585185984542/7e248_0401.bmp-0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916754844734337064/design0401.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916756102165704704/install_new0402.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916756102165704704/install_new0402.bmpP
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916756102165704704/install_new0402.bmpn
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/916790682084057128/1234_0402.bmp
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/915539163787460658/915542724923502643/Uponrun.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/915539163787460658/915542724923502643/Uponrun.exe#
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/915539163787460658/915542724923502643/Uponrun.exeD1
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com:80/attachments/915539163787460658/915542724923502643/Uponrun.exeK
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000002.400820890.000000006B4CC000.00000040.00020000.sdmp String found in binary or memory: https://curl.se/V
Source: setup_install.exe, 00000008.00000002.399913126.000000006B49E000.00000002.00020000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp, setup_install.exe, 00000008.00000002.400820890.000000006B4CC000.00000040.00020000.sdmp String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: setup_install.exe, 00000008.00000002.399913126.000000006B49E000.00000002.00020000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.491332009.000000000399E000.00000004.00000010.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.461158788.0000000008CAB000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467467249.0000000008CF6000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.455896938.0000000008CF6000.00000004.00000001.sdmp String found in binary or memory: https://db-ip.com/https://ipgeolocation.io/https://www.maxmind.com/en/locate-my-ip-addresstype
Source: Mon06cebe79e9a244.exe, 00000018.00000002.334772898.0000000002D8B000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp, Mon06cebe79e9a244.exe, 00000018.00000002.334772898.0000000002D8B000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/
Source: Mon06cebe79e9a244.exe, 00000018.00000002.334772898.0000000002D8B000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_1
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_2
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_3
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_4
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_5
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_6
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar/?username=p11_7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.bar8
Source: Mon06cebe79e9a244.exe, 00000018.00000002.334772898.0000000002D8B000.00000004.00000001.sdmp String found in binary or memory: https://dependstar.barx
Source: setup_install.exe, 00000008.00000002.404273720.000000006FF08000.00000002.00020000.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Mon06dc62fb7183b9e.exe String found in binary or memory: https://github.com/ModuleArt/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp String found in binary or memory: https://github.com/ModuleArt/ehttps://github.com/ModuleArt/quick-picture-viewer/
Source: Mon06dc62fb7183b9e.exe String found in binary or memory: https://github.com/ModuleArt/quick-picture-viewer/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp String found in binary or memory: https://github.com/ModuleArt/quick-picture-viewer/blob/master/LICENSE.md/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp String found in binary or memory: https://github.com/ModuleArt/quick-picture-viewer/issues/
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_1
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_2
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_3
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_4
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_5
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_6
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar/?username=p11_7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.bar8
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://inhibitionclothing.barx
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.461158788.0000000008CAB000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467467249.0000000008CF6000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.455896938.0000000008CF6000.00000004.00000001.sdmp String found in binary or memory: https://ipinfo.io/Content-Type:
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/143up7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/14Jup7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/14Qju7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/14ePy7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/169Bx7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/16ajh7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/16xjh7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1746b7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1756b7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/19iM77
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1BBCf7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1CDGu7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1CUGu7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Cr3a7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1DE477
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1G7Sc7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1GWfv7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1GaLz7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Gbzj7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Gczj7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Ghzj7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1GiLz7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Gjzj7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1H3Fa7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1KyTy7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1O2BH
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1OXFG
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1OZVH
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1OhAG
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Pdet7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1RWXp7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1SWks7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Smzs7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Sxzs7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1T79i7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1T89i7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1TBch7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1TCch7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1TW3i7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1TXch7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Tkij7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1UKG97
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1UpU57
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Uts87
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1X8M97
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1XJq97
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1XKq97
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1XSq97
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Z7qd7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1a2jd7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.336387446.0000000002E70000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1a3jd7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1aaVp7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1b4887
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1bV787
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1fHtp7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1lcZz
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1mxKf7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1pdxr7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1q6Jt7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1rDMq7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1rd8N6
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1s4qp7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1s5qp7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1spuy7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1uS4i7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1uW6i7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1wnqn7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1x5bg7
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1yXwr7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.336387446.0000000002E70000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org8
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.orgx
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://prntscr.com/upload.php
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://scr8897465.s3.eu-west-1.amazonaws.com/Screen.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://scr8897465.s3.eu-west-1.amazonaws.com/Screen.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475269322.000000000342E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467229203.000000000342E000.00000004.00000001.sdmp String found in binary or memory: https://scr8897465.s3.eu-west-1.amazonaws.com/Screen.exeO
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://scr8897465.s3.eu-west-1.amazonaws.com:80/Screen.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://scr8897465.s3.eu-west-1.amazonaws.com:80/Screen.exev
Source: Mon06d47d8fde50.exe, 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/BF1.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.490512120.00000000038F9000.00000004.00000010.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/BF1.exeC:
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/BF1.exeN
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/BF1.exee
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com/BF1.exem
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474601596.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466583772.0000000003443000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com:80/BF1.exe
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp String found in binary or memory: https://sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com:80/BF1.exe(
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1https://sm.ms/api/v2/upload?inajax=1
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_1
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_2
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_3
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_4
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_5
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_6
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar/?username=p11_7
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.bar8
Source: Mon06cebe79e9a244.exe, 00000018.00000002.335949896.0000000002E1F000.00000004.00000001.sdmp String found in binary or memory: https://software-services.barx
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.534952015.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.496054752.000000000399E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.475134063.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.467084665.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.524962169.0000000003493000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.491332009.000000000399E000.00000004.00000010.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.amazon.com/
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.aol.com
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.474490718.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.483974976.0000000003A1C000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.466394612.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.ctcodeinfo.com/favicon.ico
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.ctcodeinfo.com/search?q=
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.listincode.com/
Source: Mon06885bbdb13fec3.exe, 0000000E.00000002.774058571.00000000011B0000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769824740.0000000000C40000.00000002.00020000.sdmp String found in binary or memory: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_005523E0 InternetSetFilePointer,InternetReadFile,HttpQueryInfoA, 26_2_005523E0
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: protectionsuper_mac9988\Temp\cghjgasaaz99\" /s /e /y" "xcopy " --window-position=-50000,-50000 --user-data-dir=""","code":" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/","message":"{"type":"installresult","uid":"successerr : write reg failed(RegCreateKeyExA)err : write reg failed(RegSetValueExA)err : extension dir not found(possible no chrome installed)err : zip release failederr : securepref not founderr : parse json failederr : unknown1010","channelid":"","bid":"","adminmode":""}","version":"JSON=application/x-www-form-urlencoded;charset=utf-8http://www.iyiqian.com/http://www.xxhufdc.top/http://www.uefhkice.xyz//Home/Index/lkdinlhttp://GETPOSTPUTHEADDELETE equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/ equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: %_viewport-width: 1920Sec-Fetch-Mode: navigate*?[Sec-Fetch-Site: same-originSec-Fetch-User: ?1Referer: https://www.facebook.com/Sec-Fetch-Dest: documentOrigin: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: Host: www.facebook.comloginKhe4g4 headerUg4e4GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: Sec-Fetch-Dest: documentSQSec-Fetch-Mode: navigateSec-Fetch-Site: same-originUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: document/ads/manager/account_settings/account_billingSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Upgrade-Insecure-Requests: 1wbapi/graphql/?lll=ppp%SConnection: keep-alivesec-ch-ua-mobile: ?0sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"X-FB-Friendly-Name: BillingAMNexusRootQueryAccept: */*Origin: https://www.facebook.com:Sec-Fetch-Site: same-originSec-Fetch-Mode: cors:Sec-Fetch-Dest: emptyAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1/api/graphql/0Connection: keep-alivesec-ch-ua-mobile: ?0Accept: */*sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"X-FB-Friendly-Name: BillingTransactionTableQuerySec-Fetch-Site: same-originOrigin: https://www.facebook.com1Sec-Fetch-Mode: cors1Sec-Fetch-Dest: empty%SAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1v10.0/act_Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Accept: */*Content-type: application/x-www-form-urlencodedReferer: https://www.facebook.com/Sec-Fetch-Site: same-siteOrigin: https://www.facebook.comsecure.Sec-Fetch-Dest: empty||Sec-Fetch-Mode: corsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9domain//viewport-width: 1920primary_location/infostatemanager/account_settings/account_billingc_user profile.phpSec-Fetch-Dest: document=Sec-Fetch-Mode: navigate;Sec-Fetch-Site: none=Upgrade-Insecure-Requests: 1 pages/?category=your_pageshttps://www.facebook.com/:Sec-Fetch-Dest: document=Sec-Fetch-Mode: navigate:Sec-Fetch-Site: none=Sec-Fetch-User: ?1Upgrade-Insecure-Requests: 1SendingGh8eu4i proxyPj9k4eh credentialsMn7j4e=SendingGfe5g requestRgreh4elogin get cookie407_khfa4i TheGhehg4g proxyIje4hg requiresDge4gj89 authenticationQerhj4ghnameBreakHghel3g forPe4jjhg multipleTje7i4hg 407_uh7a4r responseP5orjtegdomain1error_self1Error (WinHttpSetOption)secure0Error (WinHttpSetOption)Error (WinHttpAddRequestHeaders)- equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/billing_history/summary/ equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/adsmanager/manage/campaigns?act= equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/adsmanager/manage/campaigns?act=fb_id equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/profile.php?id=c_user&sk=friends equals www.facebook.com (Facebook)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp String found in binary or memory: login/device-based/loginContent-Type: application/x-www-form-urlencodedhttp://staticimg.youtuuee.com//www.facebook.com/Host: www.facebook.comlogin/device-based/login equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: setup_install.exe, 00000008.00000002.393914944.000000000091A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara Genericmalware
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340ada6.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.311875939.00007FF7B9D96000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe, type: DROPPED

System Summary:

barindex
PE file has a writeable .text section
Source: libcurl.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.NET source code contains very large array initializations
Source: Mon06d47d8fde50.exe.0.dr, Unbarbered.Records/Class.cs Large array initialization: FlushPrinter: array initializer size 217460
Source: 20.0.Mon06d47d8fde50.exe.3d0000.0.unpack, Unbarbered.Records/Class.cs Large array initialization: FlushPrinter: array initializer size 217460
Source: 20.2.Mon06d47d8fde50.exe.3d0000.0.unpack, Unbarbered.Records/Class.cs Large array initialization: FlushPrinter: array initializer size 217460
PE file contains section with special chars
Source: Mon06cebe79e9a244.exe.0.dr Static PE information: section name: !Bc}
PE file has nameless sections
Source: Mon06cebe79e9a244.exe.0.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: file3[1].exe.22.dr Static PE information: section name:
Source: file3[1].exe.22.dr Static PE information: section name:
Source: file3[1].exe.22.dr Static PE information: section name:
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6380 -s 852
Detected potential crypto function
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_3_01FD234C 0_3_01FD234C
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_0040BD85 0_2_0040BD85
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00403101 0_2_00403101
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00410138 0_2_00410138
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_004192A1 0_2_004192A1
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_0041937B 0_2_0041937B
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00416C70 0_2_00416C70
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00416536 0_2_00416536
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00417EC0 0_2_00417EC0
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00413ED0 0_2_00413ED0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00416050 8_2_00416050
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040E010 8_2_0040E010
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0041A1F0 8_2_0041A1F0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043C370 8_2_0043C370
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00452540 8_2_00452540
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040C5C0 8_2_0040C5C0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00442620 8_2_00442620
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004446E0 8_2_004446E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040E870 8_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043E920 8_2_0043E920
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0042E9F0 8_2_0042E9F0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00434BA0 8_2_00434BA0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00410C60 8_2_00410C60
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043CE70 8_2_0043CE70
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00432F30 8_2_00432F30
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004430E0 8_2_004430E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043F0B0 8_2_0043F0B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0044F540 8_2_0044F540
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004155B0 8_2_004155B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00413840 8_2_00413840
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043F860 8_2_0043F860
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004358E0 8_2_004358E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043B940 8_2_0043B940
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043D920 8_2_0043D920
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00417A80 8_2_00417A80
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00441B70 8_2_00441B70
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00443B90 8_2_00443B90
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00433C40 8_2_00433C40
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00447EB0 8_2_00447EB0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00431F10 8_2_00431F10
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040DFD0 8_2_0040DFD0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00411F90 8_2_00411F90
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4F4 8_2_0076C4F4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4E0 8_2_0076C4E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4EC 8_2_0076C4EC
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4D4 8_2_0076C4D4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4C4 8_2_0076C4C4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4B8 8_2_0076C4B8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C4AC 8_2_0076C4AC
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C540 8_2_0076C540
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C50C 8_2_0076C50C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C5C8 8_2_0076C5C8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C5B0 8_2_0076C5B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C598 8_2_0076C598
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C580 8_2_0076C580
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C640 8_2_0076C640
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C600 8_2_0076C600
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C86C 8_2_0076C86C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C848 8_2_0076C848
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C8FC 8_2_0076C8FC
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C8E0 8_2_0076C8E0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C8CC 8_2_0076C8CC
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C8B8 8_2_0076C8B8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C8A4 8_2_0076C8A4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C890 8_2_0076C890
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C95C 8_2_0076C95C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C940 8_2_0076C940
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C92C 8_2_0076C92C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0076C918 8_2_0076C918
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_025AB990 20_2_025AB990
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_025AE2A0 20_2_025AE2A0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_025AEA29 20_2_025AEA29
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_0261AAD9 20_2_0261AAD9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_02615B20 20_2_02615B20
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_02613870 20_2_02613870
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_02616EE2 20_2_02616EE2
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_0261EF88 20_2_0261EF88
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_02618518 20_2_02618518
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04D90040 20_2_04D90040
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DABE70 20_2_04DABE70
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DAA7D8 20_2_04DAA7D8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DA9048 20_2_04DA9048
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DAD278 20_2_04DAD278
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DA83D0 20_2_04DA83D0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04DACB10 20_2_04DACB10
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Code function: 24_2_00007FFC0B99258B 24_2_00007FFC0B99258B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Code function: 24_2_00007FFC0B991DB9 24_2_00007FFC0B991DB9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Code function: 24_2_00007FFC0B9925E2 24_2_00007FFC0B9925E2
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00404640 26_2_00404640
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00417030 26_2_00417030
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004172EB 26_2_004172EB
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0042D3DA 26_2_0042D3DA
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0042D4FA 26_2_0042D4FA
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0042950F 26_2_0042950F
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00424529 26_2_00424529
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00405670 26_2_00405670
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004166A0 26_2_004166A0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0041674D 26_2_0041674D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00413737 26_2_00413737
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004068D4 26_2_004068D4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0041B89B 26_2_0041B89B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0042B909 26_2_0042B909
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00404980 26_2_00404980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00416ABF 26_2_00416ABF
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0041CB20 26_2_0041CB20
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00416D69 26_2_00416D69
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00423E15 26_2_00423E15
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00574065 26_2_00574065
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00567280 26_2_00567280
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0056753B 26_2_0056753B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0057D62A 26_2_0057D62A
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0057975F 26_2_0057975F
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0057D74A 26_2_0057D74A
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_005668F0 26_2_005668F0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00554890 26_2_00554890
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0056699D 26_2_0056699D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00563987 26_2_00563987
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0056BAEB 26_2_0056BAEB
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0056CD70 26_2_0056CD70
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00566D0F 26_2_00566D0F
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00566FB9 26_2_00566FB9
PE file contains strange resources
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Mon067f2fcee827.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Mon06dc62fb7183b9e.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Mon0630c6f1115ad5.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: comprehensive1[1].exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: comprehensive1[1].exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g_MknxqsfTsoo1ZWGLulW9rc.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g_MknxqsfTsoo1ZWGLulW9rc.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VkFchiXGaREjCGp6k2Ktr5lS.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VkFchiXGaREjCGp6k2Ktr5lS.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup12[1].exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup12[1].exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BF1[1].exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SSceGixduBzhWNhNwAlLoQH9.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Section loaded: libcurlpp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Section loaded: libgcc_s_dw2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: playtodevice.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: devdispitemprovider.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Section loaded: wpdshext.dll
PE file contains more sections than normal
Source: Mon060579dda3b.exe.0.dr Static PE information: Number of sections : 13 > 10
Source: libcurl.dll.0.dr Static PE information: Number of sections : 19 > 10
Source: libstdc++-6.dll.0.dr Static PE information: Number of sections : 12 > 10
Source: setup_install.exe.0.dr Static PE information: Number of sections : 16 > 10
Source: libcurlpp.dll.0.dr Static PE information: Number of sections : 18 > 10
Uses 32bit PE files
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.86.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.79.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3900630.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.354fb72.8.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.2.Mon067df200a8fd43b.exe.550e50.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.3.Mon067df200a8fd43b.exe.5d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad0b80.85.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.89.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad0b80.77.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.550e50.2.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.354fb72.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.2.Mon067df200a8fd43b.exe.550e50.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.73.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3acfa10.72.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.550e50.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 14.0.Mon06885bbdb13fec3.exe.550000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ac91c0.19.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.2.Mon067df200a8fd43b.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3acfa10.78.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.88.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad0b80.71.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.3.Mon0630c6f1115ad5.exe.3ad1438.90.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.550e50.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 14.2.Mon06885bbdb13fec3.exe.550000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 26.2.Mon067df200a8fd43b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.550e50.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.0.Mon067df200a8fd43b.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 26.3.Mon067df200a8fd43b.exe.5d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340ada6.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000001A.00000000.324919353.00000000007DD000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 0000001A.00000002.734191823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000000.323840946.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000000.322943664.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000000.328474387.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000000.329483296.00000000007DD000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000002.746618380.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000002.764915300.00000000007DD000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000000.327784720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000001A.00000003.306556711.00000000005D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: Process Memory Space: Mon06d47d8fde50.exe PID: 6264, type: MEMORYSTR Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\PL_Client[1].bmp, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06be060a7cb426cf.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\Documents\Ei8DrAmaYu9K8ghN89CsjOW1.dll, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: String function: 00403204 appears 37 times
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: String function: 00418D80 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: String function: 00565070 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: String function: 00414E20 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: String function: 00402B60 appears 60 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04D92CB8 NtAllocateVirtualMemory, 20_2_04D92CB8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04D92C00 NtUnmapViewOfSection, 20_2_04D92C00
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04D92CB3 NtAllocateVirtualMemory, 20_2_04D92CB3
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Code function: 20_2_04D92BF8 NtUnmapViewOfSection, 20_2_04D92BF8
PE file contains executable resources (Code or Archives)
Source: Mon060579dda3b.exe.0.dr Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract
Source: Mon0630c6f1115ad5.exe.0.dr Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLine1 Street.exe: vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBCompare.exe2 vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepctool.exe4 vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConsoleApp1.exe8 vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: OriginalFilename$ vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUnbarbered.exe4 vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000000.272419554.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilename7zS.sfx.exe, vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamelibcurl.dllB vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinPthreadGCp( vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLively Screen Recorder.exeL vs 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Source: libcurl.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurl.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.0.dr Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: install4[1].exe.22.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: g_MknxqsfTsoo1ZWGLulW9rc.exe.22.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OWtr97fJ3mDnO4VToTTzkR9p.exe.22.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Kjf6fop4TDCFGr6Z3sfik8Kr.exe.22.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: libcurl.dll.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libcurlpp.dll.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libstdc++-6.dll.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: Mon06cebe79e9a244.exe.0.dr Static PE information: Section: !Bc} ZLIB complexity 1.00076729911
Source: Mon066b4a7578e0123e.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.989554427346
Source: libcurl.dll.0.dr Static PE information: Section: .rdata ZLIB complexity 0.993694196429
Source: libcurl.dll.0.dr Static PE information: Section: .reloc ZLIB complexity 0.996710526316
Source: libcurlpp.dll.0.dr Static PE information: Section: /4 ZLIB complexity 1.00268554688
Source: libstdc++-6.dll.0.dr Static PE information: Section: /4 ZLIB complexity 0.99873490767
Source: libstdc++-6.dll.0.dr Static PE information: Section: .reloc ZLIB complexity 1.00014648438
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: Section: ZLIB complexity 1.00057768486
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: Section: ZLIB complexity 1.0107421875
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: Section: ZLIB complexity 1.00716145833
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: Section: ZLIB complexity 1.021484375
Source: file3[1].exe.22.dr Static PE information: Section: ZLIB complexity 0.999533182173
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211204 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@80/115@0/34
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File read: C:\Users\desktop.ini Jump to behavior
Source: Mon06d47d8fde50.exe.0.dr, Unbarbered.Models/ContainerTaskModel.cs Task registration methods: 'CreatePrinter'
Source: 20.0.Mon06d47d8fde50.exe.3d0000.0.unpack, Unbarbered.Models/ContainerTaskModel.cs Task registration methods: 'CreatePrinter'
Source: 20.2.Mon06d47d8fde50.exe.3d0000.0.unpack, Unbarbered.Models/ContainerTaskModel.cs Task registration methods: 'CreatePrinter'
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Virustotal: Detection: 61%
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File read: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe "C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe"
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06885bbdb13fec3.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06dc62fb7183b9e.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Mon06885bbdb13fec3.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06f9c53ffae25af61.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Mon06dc62fb7183b9e.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06d47d8fde50.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Mon06f9c53ffae25af61.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0630c6f1115ad5.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Mon06d47d8fde50.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06cebe79e9a244.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Mon0630c6f1115ad5.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067df200a8fd43b.exe /mixone
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Mon06cebe79e9a244.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon066b4a7578e0123e.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Mon067df200a8fd43b.exe /mixone
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon060579dda3b.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0699e256d5dc14.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Mon066b4a7578e0123e.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe Mon060579dda3b.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06be060a7cb426cf.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe Mon0699e256d5dc14.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067f2fcee827.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06434adde6c2.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06be060a7cb426cf.exe Mon06be060a7cb426cf.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe Mon067f2fcee827.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06434adde6c2.exe Mon06434adde6c2.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe Process created: C:\Users\user\AppData\Local\Temp\is-1U6PN.tmp\Mon067f2fcee827.tmp "C:\Users\user\AppData\Local\Temp\is-1U6PN.tmp\Mon067f2fcee827.tmp" /SL5="$60038,247014,163328,C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6380 -s 852
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1028
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1028
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 2084
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 2084
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 1120
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe "C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe"
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06885bbdb13fec3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06dc62fb7183b9e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06f9c53ffae25af61.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06d47d8fde50.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0630c6f1115ad5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06cebe79e9a244.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067df200a8fd43b.exe /mixone Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon066b4a7578e0123e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon060579dda3b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0699e256d5dc14.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06be060a7cb426cf.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067f2fcee827.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06434adde6c2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1028 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Mon06885bbdb13fec3.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Mon06dc62fb7183b9e.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Mon06f9c53ffae25af61.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Mon06d47d8fde50.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Mon0630c6f1115ad5.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Mon06cebe79e9a244.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe "C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Mon067df200a8fd43b.exe /mixone
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Mon066b4a7578e0123e.exe
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00405570 CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize, 26_2_00405570
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,date_synced,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: __cfduid 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixthree 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: euthree 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: cashtg 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: peu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pmix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: tgcash 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: eufour 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: ueu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: eufive 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: eux 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: usfour 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: willus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: uus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: cashus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: euone 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: eutwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: cashmix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: willmix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: willeu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: ustwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: tgsix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: tgone 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: caone 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: cafive 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixtwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixsix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: cafour 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixfive 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixfour 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: casix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixone 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: usthree 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: umix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pux 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: usone 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: casheu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: usfive 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: GET 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixtwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: mixtwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: /mixtwo 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: /pus 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: peu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: /peu 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: pmix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: /pmix 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: NOPARAM 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: SUB= 26_2_0040D980
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Command line argument: SUB= 26_2_0040D980
Source: setup_install.exe String found in binary or memory: -stop
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static file information: File size 4250831 > 1048576
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.462459069.00000000089D1000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.468369171.0000000008A1B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.460981425.0000000003A7E000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.476212579.0000000008A68000.00000004.00000001.sdmp
Source: Binary string: libdwarf.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000000.297778513.0000000000897000.00000002.00020000.sdmp
Source: Binary string: C:\cugavek\3_f.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286369517.000000000333B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362017492.0000000003414000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.300443282.000000000041D000.00000002.00020000.sdmp
Source: Binary string: C:\misugi-jekotibisagujo\dipaka canumiyud.pdblvBlGB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06f9c53ffae25af61.exe, 00000012.00000000.295808745.000000000041D000.00000002.00020000.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.359231693.0000000003414000.00000004.00000001.sdmp
Source: Binary string: F:\facebook_svn\trunk\database\Release\DiskScan.pdbM source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: WerFault.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.367210520.000000000341B000.00000004.00000001.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06dc62fb7183b9e.exe, Mon06dc62fb7183b9e.exe, 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp
Source: Binary string: C:\misugi-jekotibisagujo\dipaka canumiyud.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, Mon06f9c53ffae25af61.exe, 00000012.00000000.295808745.000000000041D000.00000002.00020000.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.359231693.0000000003414000.00000004.00000001.sdmp
Source: Binary string: libdwarf.pdbY source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000000.297778513.0000000000897000.00000002.00020000.sdmp
Source: Binary string: cmd.pdbUGP source: Mon0630c6f1115ad5.exe, 00000016.00000003.363840177.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.358894674.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.361646952.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.357419446.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.365882994.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364695500.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362908244.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.360851718.0000000003414000.00000004.00000001.sdmp
Source: Binary string: F:\facebook_svn\trunk\database\Release\DiskScan.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp
Source: Binary string: D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp
Source: Binary string: C:\lopex-zaribapu.pdb source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp
Source: Binary string: \MOn[C:\cugavek\3_f.pdblvBlGB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286369517.000000000333B000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362017492.0000000003414000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.300443282.000000000041D000.00000002.00020000.sdmp
Source: Binary string: cmd.pdb source: Mon0630c6f1115ad5.exe, 00000016.00000003.363840177.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.358894674.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.361646952.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.357419446.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.365882994.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.364695500.0000000003415000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.362908244.0000000003414000.00000004.00000001.sdmp, Mon0630c6f1115ad5.exe, 00000016.00000003.360851718.0000000003414000.00000004.00000001.sdmp
Source: Binary string: costura.costura.dll.compressed|5.3.0.0|Costura, Version=5.3.0.0, Culture=neutral, PublicKeyToken=null|Costura.dll|790691B8E17BE618ABE2C596B93EB925FC4C1142|4608 costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 costura source: Mon06dc62fb7183b9e.exe
Source: Binary string: WerFault.pdbGCTL source: Mon0630c6f1115ad5.exe, 00000016.00000003.367210520.000000000341B000.00000004.00000001.sdmp
Source: Binary string: C:\lopex-zaribapu.pdblvB source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286280630.00000000031FC000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 16.0.Mon06dc62fb7183b9e.exe.15f593e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Mon06dc62fb7183b9e.exe.15f593e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.755737452.0000015F59499000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.294796789.0000015F59499000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286622786.0000000003687000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Mon06dc62fb7183b9e.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe, type: DROPPED
Obfuscated command line found
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe Process created: C:\Users\user\AppData\Local\Temp\is-1U6PN.tmp\Mon067f2fcee827.tmp "C:\Users\user\AppData\Local\Temp\is-1U6PN.tmp\Mon067f2fcee827.tmp" /SL5="$60038,247014,163328,C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe"
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_3_01FD7DE6 push eax; ret 0_3_01FD7DE7
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_3_01FD6BBB push es; ret 0_3_01FD6BEC
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_3_01FD6A46 push es; iretd 0_3_01FD6B28
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00414150 push ecx; mov dword ptr [esp], ecx 0_2_00414151
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00418D80 push eax; ret 0_2_00418D9E
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00418DB0 push eax; ret 0_2_00418DDE
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004580D0 push eax; mov dword ptr [esp], ebx 8_2_004586C6
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043E08D push edx; mov dword ptr [esp], ebx 8_2_0043E0A1
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00440166 push edx; mov dword ptr [esp], ebx 8_2_0044017A
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0044A199 push eax; mov dword ptr [esp], ebx 8_2_0044A1AD
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0044A369 push eax; mov dword ptr [esp], ebx 8_2_0044A37D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0046A320 push edx; mov dword ptr [esp], ebx 8_2_0046A5E5
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0046A320 push eax; mov dword ptr [esp], ebx 8_2_0046A60F
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004465D9 push edx; mov dword ptr [esp], ebx 8_2_004465ED
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004487F3 push edx; mov dword ptr [esp], ebx 8_2_00448807
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043E8F5 push edx; mov dword ptr [esp], ebx 8_2_0043E909
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00440A1F push edx; mov dword ptr [esp], ebx 8_2_00440A33
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00426AFC push eax; mov dword ptr [esp], ebx 8_2_0049944A
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00456B20 push eax; mov dword ptr [esp], ebx 8_2_00457120
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00482BC0 push eax; mov dword ptr [esp], esi 8_2_0049871D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00482D00 push eax; mov dword ptr [esp], esi 8_2_0049871D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00466DA0 push eax; mov dword ptr [esp], ebx 8_2_00466EB6
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00446E80 push edx; mov dword ptr [esp], ebx 8_2_00446E94
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00466FE0 push eax; mov dword ptr [esp], ebx 8_2_004670F5
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004690F0 push edx; mov dword ptr [esp], ebx 8_2_00469301
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004690F0 push eax; mov dword ptr [esp], ebx 8_2_0046931B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0043F08D push edx; mov dword ptr [esp], ebx 8_2_0043F0A1
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004490AE push edx; mov dword ptr [esp], ebx 8_2_004490C2
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00457160 push eax; mov dword ptr [esp], ebx 8_2_00457760
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0044118A push ecx; mov dword ptr [esp], ebx 8_2_0044119E
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0042309A push eax; mov dword ptr [esp], ebx 8_2_0049944A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004014E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_004014E0
Binary contains a suspicious time stamp
Source: Mon06be060a7cb426cf.exe.0.dr Static PE information: 0xE66F9C1C [Sat Jul 5 05:29:00 2092 UTC]
PE file contains sections with non-standard names
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: section name: .sxdata
Source: Mon0699e256d5dc14.exe.0.dr Static PE information: section name: _RDATA
Source: Mon06cebe79e9a244.exe.0.dr Static PE information: section name: !Bc}
Source: Mon06cebe79e9a244.exe.0.dr Static PE information: section name:
Source: setup_install.exe.0.dr Static PE information: section name: /4
Source: setup_install.exe.0.dr Static PE information: section name: /14
Source: setup_install.exe.0.dr Static PE information: section name: /29
Source: setup_install.exe.0.dr Static PE information: section name: /41
Source: setup_install.exe.0.dr Static PE information: section name: /55
Source: setup_install.exe.0.dr Static PE information: section name: /67
Source: setup_install.exe.0.dr Static PE information: section name: /80
Source: setup_install.exe.0.dr Static PE information: section name: /91
Source: setup_install.exe.0.dr Static PE information: section name: /102
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: Mon060579dda3b.exe.0.dr Static PE information: section name: .ghhergf
Source: libcurl.dll.0.dr Static PE information: section name: /4
Source: libcurl.dll.0.dr Static PE information: section name: /14
Source: libcurl.dll.0.dr Static PE information: section name: /29
Source: libcurl.dll.0.dr Static PE information: section name: /41
Source: libcurl.dll.0.dr Static PE information: section name: /55
Source: libcurl.dll.0.dr Static PE information: section name: /67
Source: libcurl.dll.0.dr Static PE information: section name: /80
Source: libcurl.dll.0.dr Static PE information: section name: .aspack
Source: libcurl.dll.0.dr Static PE information: section name: .adata
Source: libcurlpp.dll.0.dr Static PE information: section name: /4
Source: libcurlpp.dll.0.dr Static PE information: section name: /14
Source: libcurlpp.dll.0.dr Static PE information: section name: /29
Source: libcurlpp.dll.0.dr Static PE information: section name: /41
Source: libcurlpp.dll.0.dr Static PE information: section name: /55
Source: libcurlpp.dll.0.dr Static PE information: section name: /67
Source: libcurlpp.dll.0.dr Static PE information: section name: /80
Source: libcurlpp.dll.0.dr Static PE information: section name: .aspack
Source: libcurlpp.dll.0.dr Static PE information: section name: .adata
Source: libgcc_s_dw2-1.dll.0.dr Static PE information: section name: /4
Source: libstdc++-6.dll.0.dr Static PE information: section name: /4
Source: libstdc++-6.dll.0.dr Static PE information: section name: .aspack
Source: libstdc++-6.dll.0.dr Static PE information: section name: .adata
Source: comprehensive1[1].exe.22.dr Static PE information: section name: .didat
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name:
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name: .rz7RpXi
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: section name: .adata
Source: VkFchiXGaREjCGp6k2Ktr5lS.exe.22.dr Static PE information: section name: .didat
Source: file3[1].exe.22.dr Static PE information: section name:
Source: file3[1].exe.22.dr Static PE information: section name:
Source: file3[1].exe.22.dr Static PE information: section name:
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .aspack
PE file contains an invalid checksum
Source: Mon0630c6f1115ad5.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x87d63
Source: Mon060579dda3b.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x17035f
Source: SSceGixduBzhWNhNwAlLoQH9.exe.22.dr Static PE information: real checksum: 0x0 should be: 0xc4959
Source: Mon067f2fcee827.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x81605
Source: Mon06dc62fb7183b9e.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x18dad3
Source: Mon06be060a7cb426cf.exe.0.dr Static PE information: real checksum: 0x114cc should be: 0x6cc0
Source: Mon0699e256d5dc14.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x169ed2
Source: VkFchiXGaREjCGp6k2Ktr5lS.exe.22.dr Static PE information: real checksum: 0x0 should be: 0x1dc2f2
Source: Mon06434adde6c2.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x58c0
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Static PE information: real checksum: 0x0 should be: 0x415044
Source: Mon06885bbdb13fec3.exe.0.dr Static PE information: real checksum: 0x0 should be: 0xb237
Source: Mon06d47d8fde50.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x7381d
Source: BF1[1].exe.22.dr Static PE information: real checksum: 0x0 should be: 0xc4959
Source: comprehensive1[1].exe.22.dr Static PE information: real checksum: 0x0 should be: 0x1dc2f2
Source: G2_EIY9DOQs4sNlH3UBGIHNs.exe.22.dr Static PE information: real checksum: 0x39ed1e should be: 0x1c48de
Source: Setup12[1].exe.22.dr Static PE information: real checksum: 0x3b377 should be: 0x2f0556
Source: initial sample Static PE information: section name: !Bc} entropy: 7.9849942825
Source: initial sample Static PE information: section name: .text entropy: 7.99814642994
Source: initial sample Static PE information: section name: .text entropy: 7.9218416351
Source: initial sample Static PE information: section name: .text entropy: 7.99866963384
Source: initial sample Static PE information: section name: .text entropy: 7.52708547616
Source: initial sample Static PE information: section name: .text entropy: 7.38836393883
Source: initial sample Static PE information: section name: entropy: 7.99582216841
Source: initial sample Static PE information: section name: entropy: 7.78031796917
Source: initial sample Static PE information: section name: entropy: 7.8859159857
Source: initial sample Static PE information: section name: entropy: 7.60287604049
Source: initial sample Static PE information: section name: .rz7RpXi entropy: 7.91728484067
Source: initial sample Static PE information: section name: entropy: 7.99723619832
Source: initial sample Static PE information: section name: .text entropy: 7.52708547616
Source: initial sample Static PE information: section name: .text entropy: 7.86171255307

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\Rd4mWWpY8ZOYLzPUXbMr48g7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\file3[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\m2PzJMaaHvuiEXPrW9IESqkw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\t_TANZARSQj6Lm0MYeecrdiq.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\EH2UqXkmGsdM7d8RuuDQ7km6.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06434adde6c2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\toolspab2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\jZeSZ7G4RBTtRczlFfTTU7V0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall42[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NiceProcessX64[1].bmp Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\libstdc++-6.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\bClhmhZlpCeoCXI8ug2wg8mi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\8L6ugJuHG9eDlcL37667vJc9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\TITkxzS0gfvs2KvVCeBpa4X_.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udp[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\oZDWC0g1pLExrhRg1QUAie8H.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\yKMxNjEP8bMVNZSwxDurpHkG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\hl_J5ttTbMmf2AhgPYwvzG__.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurl.dll Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall59[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\qfccVzmWr1gnzwyOYDWeOqRI.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\biQtzmlvUuePquCyc26WOk81.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\MMMy7Y8hjR6Y29cpH6i8H_U7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\install4[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\xb1pVUTNv4joD4Xqj7uK3Edx.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurlpp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\g_MknxqsfTsoo1ZWGLulW9rc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\qdL8dkydTER5O_7_V_AI0RtR.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\B9sunPpJzOhhqi2LNmnFA1Vf.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\Z_vRblvz9Nut3_fUjgc3y2tG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\ekfeDHeefrpVeOLF_zEospRe.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\So_nQ0f6036W5A_oTVjjj7ec.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06be060a7cb426cf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\comprehensive1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\amz[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\Km91VWEL8QlQMf6PXBcS7CUg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\z6E_29nD8ae2MMWCQ6qNBkCO.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BF1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\70gT3_jLhoTN69YJz2eMYaZ8.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\VkFchiXGaREjCGp6k2Ktr5lS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Setup12[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067f2fcee827.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\G2_EIY9DOQs4sNlH3UBGIHNs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AordVPNWZ3202111221117[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup_525403[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\MVqkmKxpMmLZNmFpGwUpdGg4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\xxxx[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\libwinpthread-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\OWtr97fJ3mDnO4VToTTzkR9p.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\xFaFx_Szk00JnPF7AvMMVAeu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\SSceGixduBzhWNhNwAlLoQH9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\i_OjgwShp6vSNPTHoCRKJq5M.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\Kjf6fop4TDCFGr6Z3sfik8Kr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\eyCAN_PVePYm1Gl5JhE7GSOh.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\libgcc_s_dw2-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File created: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File created: C:\Users\user\Pictures\Adobe Films\NikB4LocWiKFuKasNcrhRDqo.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00413737 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 26_2_00413737
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, Mon06885bbdb13fec3.exe, Mon06885bbdb13fec3.exe, 0000000E.00000000.293872911.0000000000552000.00000002.00020000.sdmp Binary or memory string: SBIEDLL.DLL
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196 Thread sleep count: 5184 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200 Thread sleep count: 1057 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6376 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe TID: 2056 Thread sleep time: -105000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe TID: 6432 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe TID: 6332 Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe TID: 6388 Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe TID: 6568 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5184 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1057 Jump to behavior
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: __Init_thread_footer,GetUserNameA,__Init_thread_footer,__Init_thread_footer,GetForegroundWindow,GetForegroundWindow,GetWindowTextA,Sleep,GetForegroundWindow,GetWindowTextA, 26_2_00404980
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\Rd4mWWpY8ZOYLzPUXbMr48g7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\file3[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\m2PzJMaaHvuiEXPrW9IESqkw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\t_TANZARSQj6Lm0MYeecrdiq.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\EH2UqXkmGsdM7d8RuuDQ7km6.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\toolspab2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\jZeSZ7G4RBTtRczlFfTTU7V0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall42[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\bClhmhZlpCeoCXI8ug2wg8mi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\8L6ugJuHG9eDlcL37667vJc9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\TITkxzS0gfvs2KvVCeBpa4X_.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udp[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\yKMxNjEP8bMVNZSwxDurpHkG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\oZDWC0g1pLExrhRg1QUAie8H.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\hl_J5ttTbMmf2AhgPYwvzG__.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall59[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\biQtzmlvUuePquCyc26WOk81.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\qfccVzmWr1gnzwyOYDWeOqRI.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\MMMy7Y8hjR6Y29cpH6i8H_U7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\install4[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\xb1pVUTNv4joD4Xqj7uK3Edx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\g_MknxqsfTsoo1ZWGLulW9rc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\qdL8dkydTER5O_7_V_AI0RtR.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\B9sunPpJzOhhqi2LNmnFA1Vf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\Z_vRblvz9Nut3_fUjgc3y2tG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\ekfeDHeefrpVeOLF_zEospRe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\So_nQ0f6036W5A_oTVjjj7ec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Service[1].bmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\comprehensive1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\amz[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\z6E_29nD8ae2MMWCQ6qNBkCO.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\Km91VWEL8QlQMf6PXBcS7CUg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BF1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\70gT3_jLhoTN69YJz2eMYaZ8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\VkFchiXGaREjCGp6k2Ktr5lS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Setup12[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\G2_EIY9DOQs4sNlH3UBGIHNs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AordVPNWZ3202111221117[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup_525403[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\MVqkmKxpMmLZNmFpGwUpdGg4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\xxxx[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Uponrun[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\OWtr97fJ3mDnO4VToTTzkR9p.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\xFaFx_Szk00JnPF7AvMMVAeu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\i_OjgwShp6vSNPTHoCRKJq5M.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\SSceGixduBzhWNhNwAlLoQH9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\Kjf6fop4TDCFGr6Z3sfik8Kr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\eyCAN_PVePYm1Gl5JhE7GSOh.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Adobe Films\NikB4LocWiKFuKasNcrhRDqo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurl.dll Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\libcurlpp.dll Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe File opened: C:\Users\user\AppData\Local\Temp\7zS883210E8\ Jump to behavior
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529073800.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.494872067.0000000003AD1000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: Mon06885bbdb13fec3.exe, 0000000E.00000000.293872911.0000000000552000.00000002.00020000.sdmp Binary or memory string: vmware
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.535272264.00000000034D1000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j8
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T4
Source: Mon067df200a8fd43b.exe, 0000001A.00000002.769569099.0000000000870000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769162711.0000000000806000.00000004.00000001.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.770254003.0000000002D29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, Mon06885bbdb13fec3.exe, Mon06885bbdb13fec3.exe, 0000000E.00000000.293872911.0000000000552000.00000002.00020000.sdmp Binary or memory string: DetectVirtualMachine
Source: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe, 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000000.293872911.0000000000552000.00000002.00020000.sdmp Binary or memory string: <Module>pctool.exeProgramStubRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorMainDownloadPayloadRunOnStartup.ctorExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatorurlregNameAppPathHidepathlpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributepctoolEnvironmentExitSystem.ThreadingThreadSleepSystem.IOPathGetTempPathCombineFileWriteAllBytesSystem.NetServicePointManagerSecurityProtocolTypeset_SecurityProtocolWebRequestCreateHttpWebRequestset_MethodWebResponseGetResponseHttpWebResponseStreamGetResponseStreamMemoryStreamCopyToCloseDisposeToArrayIDisposableAppDomainget_CurrentDomainget_FriendlyNameStringConcatExistsAssemblyGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineOpenSubKeySetValueCurrentUserException.cctorSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_Currentget_ItemToStringToLowerop_EqualityToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticks
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.529073800.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.524476080.0000000003AC9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: 6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup_install.exe, 00000008.00000002.393914944.000000000091A000.00000004.00000020.sdmp, setup_install.exe, 00000008.00000000.317230848.000000000091A000.00000004.00000020.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000002.753592081.0000000000AF6000.00000004.00000020.sdmp, Mon06cebe79e9a244.exe, 00000018.00000002.333127354.0000000000FF0000.00000004.00000020.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.329684478.0000000000806000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.530006737.0000000003493000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y6
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: 0026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Mon0630c6f1115ad5.exe, 00000016.00000003.533738388.0000000003A7E000.00000004.00000001.sdmp Binary or memory string: e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00405FE9 GetSystemInfo, 0_2_00405FE9
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00404B47 FindFirstFileW, 0_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00404640 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,GetUserNameA, 26_2_00404640
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004268FD FindFirstFileExW, 26_2_004268FD
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00554890 FindFirstFileA,FindClose,__Init_thread_footer,GetUserNameA,__Init_thread_footer,__Init_thread_footer,GetWindowTextA,Sleep,GetWindowTextA, 26_2_00554890
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_005528B0 __cftof,FindFirstFileExW,FindFirstFileExW,FindFirstFileExW,SetFilePointerEx,InternetOpenA,InternetSetOptionA,RtlReAllocateHeap,GetTimeZoneInformation,InternetConnectA,HttpOpenRequestA,HttpSendRequestA, 26_2_005528B0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00576B4D FindFirstFileExW, 26_2_00576B4D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe System information queried: ModuleInformation

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe System information queried: CodeIntegrityInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004014E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_004014E0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00419616 mov eax, dword ptr fs:[00000030h] 26_2_00419616
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004206D8 mov eax, dword ptr fs:[00000030h] 26_2_004206D8
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00569866 mov eax, dword ptr fs:[00000030h] 26_2_00569866
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_0055092B mov eax, dword ptr fs:[00000030h] 26_2_0055092B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00570928 mov eax, dword ptr fs:[00000030h] 26_2_00570928
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00550D90 mov eax, dword ptr fs:[00000030h] 26_2_00550D90
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_007DDCCB push dword ptr fs:[00000030h] 26_2_007DDCCB
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Process queried: DebugPort
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1028 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004190B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_004190B6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00427E97 GetProcessHeap, 26_2_00427E97
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040115C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 8_2_0040115C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040CE5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 8_2_0040CE5C
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040CE60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 8_2_0040CE60
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_00401150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit, 8_2_00401150
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_004013C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm, 8_2_004013C9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00414DC0 SetUnhandledExceptionFilter, 26_2_00414DC0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_004190B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_004190B6
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00414C2D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00414C2D
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00413F79 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00413F79
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00565010 SetUnhandledExceptionFilter, 26_2_00565010
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_005641C9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_005641C9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00569306 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00569306

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Memory written: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe base: 400000 value starts with: 4D5A
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06885bbdb13fec3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06dc62fb7183b9e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06f9c53ffae25af61.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06d47d8fde50.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0630c6f1115ad5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06cebe79e9a244.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067df200a8fd43b.exe /mixone Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon066b4a7578e0123e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon060579dda3b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon0699e256d5dc14.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06be060a7cb426cf.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon067f2fcee827.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon06434adde6c2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1028 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Mon06885bbdb13fec3.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Mon06dc62fb7183b9e.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06f9c53ffae25af61.exe Mon06f9c53ffae25af61.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Mon06d47d8fde50.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Mon0630c6f1115ad5.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Mon06cebe79e9a244.exe
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe "C:\Users\user\Pictures\Adobe Films\v2lMWzt44zb0lQ28NgmZJByf.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Mon067df200a8fd43b.exe /mixone
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon066b4a7578e0123e.exe Mon066b4a7578e0123e.exe
Source: setup_install.exe, 00000008.00000000.317714396.0000000000DA0000.00000002.00020000.sdmp, setup_install.exe, 00000008.00000000.327922565.0000000000DA0000.00000002.00020000.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000002.774058571.00000000011B0000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.325704286.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.330204645.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769824740.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: setup_install.exe, 00000008.00000000.317714396.0000000000DA0000.00000002.00020000.sdmp, setup_install.exe, 00000008.00000000.327922565.0000000000DA0000.00000002.00020000.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000002.774058571.00000000011B0000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.325704286.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.330204645.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769824740.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: setup_install.exe, 00000008.00000000.317714396.0000000000DA0000.00000002.00020000.sdmp, setup_install.exe, 00000008.00000000.327922565.0000000000DA0000.00000002.00020000.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000002.774058571.00000000011B0000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.325704286.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.330204645.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769824740.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Progman
Source: setup_install.exe, 00000008.00000000.317714396.0000000000DA0000.00000002.00020000.sdmp, setup_install.exe, 00000008.00000000.327922565.0000000000DA0000.00000002.00020000.sdmp, Mon06885bbdb13fec3.exe, 0000000E.00000002.774058571.00000000011B0000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.325704286.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000000.330204645.0000000000C40000.00000002.00020000.sdmp, Mon067df200a8fd43b.exe, 0000001A.00000002.769824740.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_0042A0C4
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 26_2_0042A1EA
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetForegroundWindow,GetKeyboardLayoutList,GetLocaleInfoA, 26_2_00405230
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_0042A2F0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 26_2_0042A3BF
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 26_2_00429A5E
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00420A87
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_00429C59
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00429D4B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00429D00
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00429DE6
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 26_2_00429E71
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_00420FA9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_0057A036
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 26_2_0057A0C1
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_005711F9
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_0057A314
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 26_2_0057A43A
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA, 26_2_00555480
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetLocaleInfoW, 26_2_0057A540
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 26_2_0057A60F
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00570CD7
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 26_2_00579CAE
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00579F50
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: EnumSystemLocalesW, 26_2_00579F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06dc62fb7183b9e.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06d47d8fde50.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06cebe79e9a244.exe VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00414E7B cpuid 26_2_00414E7B
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon06885bbdb13fec3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\setup_install.exe Code function: 8_2_0040CDB0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 8_2_0040CDB0
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00426054 _free,_free,_free,GetTimeZoneInformation,_free, 26_2_00426054
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon067df200a8fd43b.exe Code function: 26_2_00404640 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,GetUserNameA, 26_2_00404640
Source: C:\Users\user\Desktop\912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe Code function: 0_2_00401951 GetVersionExW, 0_2_00401951

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disable Windows Defender real time protection (registry)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.Mon06d47d8fde50.exe.39cb790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Mon06d47d8fde50.exe.39cb790.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002D.00000000.342760171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.336701332.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.721849650.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.337872878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.339922438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mon06d47d8fde50.exe PID: 6264, type: MEMORYSTR
Yara Genericmalware
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340ada6.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.311875939.00007FF7B9D96000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe, type: DROPPED
Yara detected Vidar stealer
Source: Yara match File source: 0000001D.00000000.336577218.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.520629411.0000000002190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.314364841.0000000002270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.332884481.0000000002190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.507480457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.329190467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.342545524.0000000002190000.00000040.00000001.sdmp, type: MEMORY
Yara detected Socelars
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.2ff6740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.300407c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.301e26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.331948601.000000000118E000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.401155662.000000000118E000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.285629989.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.324651127.000000000118E000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.303657989.000000000118E000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon060579dda3b.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall42[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\So_nQ0f6036W5A_oTVjjj7ec.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\askinstall59[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\xFaFx_Szk00JnPF7AvMMVAeu.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0630c6f1115ad5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.Mon06d47d8fde50.exe.39cb790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Mon06d47d8fde50.exe.39cb790.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002D.00000000.342760171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.356338732.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.336701332.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.721849650.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.337872878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.339922438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mon06d47d8fde50.exe PID: 6264, type: MEMORYSTR
Yara Genericmalware
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340ada6.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe.340cda6.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.311875939.00007FF7B9D96000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286410815.00000000033AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe PID: 5000, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS883210E8\Mon0699e256d5dc14.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\siww1047[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Pictures\Adobe Films\i4HzLCX9ix_xgRHB3fQN7Sf0.exe, type: DROPPED
Yara detected Vidar stealer
Source: Yara match File source: 0000001D.00000000.336577218.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.520629411.0000000002190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.314364841.0000000002270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.332884481.0000000002190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.507480457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.329190467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.342545524.0000000002190000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 534003 Sample: 912534A5380738D96E8DDB7873E... Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 58 208.95.112.1 TUT-ASUS United States 2->58 60 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->60 62 7 other IPs or domains 2->62 76 Antivirus detection for URL or domain 2->76 78 Antivirus detection for dropped file 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 15 other signatures 2->82 9 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe 21 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Mon06f9c53ffae25af61.exe, PE32 9->44 dropped 46 C:\Users\user\...\Mon06dc62fb7183b9e.exe, PE32 9->46 dropped 48 16 other files (10 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 74 127.0.0.1 unknown unknown 12->74 104 Adds a directory exclusion to Windows Defender 12->104 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 7 other processes 12->22 signatures8 process9 signatures10 25 Mon0630c6f1115ad5.exe 16->25         started        30 Mon06f9c53ffae25af61.exe 18->30         started        32 Mon06885bbdb13fec3.exe 14 2 20->32         started        84 Adds a directory exclusion to Windows Defender 22->84 34 Mon067df200a8fd43b.exe 22->34         started        36 Mon06d47d8fde50.exe 22->36         started        38 Mon06dc62fb7183b9e.exe 14 13 22->38         started        40 2 other processes 22->40 process11 dnsIp12 64 37.0.10.199 WKD-ASIE Netherlands 25->64 66 37.0.10.244 WKD-ASIE Netherlands 25->66 72 20 other IPs or domains 25->72 50 C:\Users\...\xFaFx_Szk00JnPF7AvMMVAeu.exe, PE32 25->50 dropped 52 C:\Users\...\i4HzLCX9ix_xgRHB3fQN7Sf0.exe, PE32+ 25->52 dropped 54 C:\Users\...\So_nQ0f6036W5A_oTVjjj7ec.exe, PE32 25->54 dropped 56 52 other files (17 malicious) 25->56 dropped 86 Antivirus detection for dropped file 25->86 88 Creates HTML files with .exe extension (expired dropper behavior) 25->88 90 Tries to harvest and steal browser information (history, passwords, etc) 25->90 92 Disable Windows Defender real time protection (registry) 25->92 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->94 96 Maps a DLL or memory area into another process 30->96 98 Checks if the current machine is a virtual machine (disk enumeration) 30->98 68 8.8.8.8 GOOGLEUS United States 32->68 70 162.159.129.233 CLOUDFLARENETUS United States 32->70 100 Machine Learning detection for dropped file 32->100 102 Injects a PE file into a foreign processes 36->102 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.209.157.230
 unknown Netherlands
18978 ENZUINC-US false
193.56.146.76
 unknown unknown
10753 LVLT-10753US false
52.217.96.20
 unknown United States
16509 AMAZON-02US false
212.193.30.29
 unknown Russian Federation
57844 SPD-NETTR false
149.28.253.196
 unknown United States
20473 AS-CHOOPAUS false
8.8.8.8
 unknown United States
15169 GOOGLEUS false
104.208.16.94
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.95.149.18
 unknown United States
16509 AMAZON-02US false
65.108.20.195
 unknown United States
11022 ALABANZA-BALTUS false
104.192.141.1
 unknown United States
16509 AMAZON-02US false
85.208.48.152
 unknown Germany
61317 ASDETUKhttpwwwheficedcomGB false
162.159.129.233
 unknown United States
13335 CLOUDFLARENETUS false
37.0.10.199
 unknown Netherlands
198301 WKD-ASIE false
104.23.98.190
 unknown United States
13335 CLOUDFLARENETUS false
2.56.59.42
 unknown Netherlands
395800 GBTCLOUDUS false
145.131.16.92
 unknown Netherlands
8315 SENTIANL false
172.67.189.190
 unknown United States
13335 CLOUDFLARENETUS false
34.117.59.81
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
107.148.201.36
 unknown United States
18013 ASLINE-AS-APASLINELIMITEDHK false
74.114.154.18
 unknown Canada
2635 AUTOMATTICUS false
20.189.173.20
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false
163.181.57.228
 unknown United States
24429 TAOBAOZhejiangTaobaoNetworkCoLtdCN false
208.95.112.1
 unknown United States
53334 TUT-ASUS false
5.188.38.39
 unknown Russian Federation
199524 GCOREAT false
103.155.93.165
 unknown unknown
134687 TWIDC-AS-APTWIDCLimitedHK false
37.0.10.244
 unknown Netherlands
198301 WKD-ASIE false
185.215.113.208
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
52.218.101.152
 unknown United States
16509 AMAZON-02US false
185.46.11.66
 unknown Russian Federation
43146 AGAVA3RU false
5.9.162.45
 unknown Germany
24940 HETZNER-ASDE false
47.251.42.216
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false

Private
IP
192.168.2.1
127.0.0.1