Windows Analysis Report
P2SMn3jloH.exe

ID:	736951
Product:	CloudBasic
Start time:	12:24:08
Start date:	03.11.2022
Sample:	P2SMn3jloH.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0779f7b34e9079944427b8260b49c205
SHA1:	31f2cf1dc970fdfaf51b9aab2c9e0b9715fb53ec
SHA256:	5c7ff5f2993bdb60d15a567dfaef41dcd30875d6629f2775acdb190e01dcef87
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\utisvaa	PE32 executable (GUI) Intel 80386, for MS Windows	0779F7B34E9079944427B8260B49C205	31F2CF1DC970FDFAF51B9AAB2C9E0B9715FB53EC	5C7FF5F2993BDB60D15A567DFAEF41DCD30875D6629F2775ACDB190E01DCEF87
C:\Users\user\AppData\Roaming\utisvaa:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

AV Detection

Source: P2SMn3jloH.exe	ReversingLabs: Detection: 46%
Source: P2SMn3jloH.exe	Virustotal: Detection: 34%			Perma Link

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Source: host-file-host6.com	Virustotal: Detection: 17%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 16%			Perma Link

Source: C:\Users\user\AppData\Roaming\utisvaa	ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Roaming\utisvaa	Virustotal: Detection: 34%			Perma Link

Source: P2SMn3jloH.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\utisvaa

Joe Sandbox ML: detected

Source: 13.0.utisvaa.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Compliance

Source: P2SMn3jloH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb source: P2SMn3jloH.exe, utisvaa.2.dr
Source:	Binary string: (C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb@ source: P2SMn3jloH.exe, utisvaa.2.dr

Networking

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Source: Joe Sandbox View

ASN Name: RISS-ASRU RISS-ASRU

Source: Joe Sandbox View

IP Address: 87.251.79.60 87.251.79.60

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dcihclar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: host-file-host6.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dcihclar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: host-file-host6.com

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: P2SMn3jloH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041A8B0		0_2_0041A8B0
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040E970		0_2_0040E970
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00419918		0_2_00419918
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_004139A7		0_2_004139A7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00414250		0_2_00414250
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00414A7C		0_2_00414A7C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00419220		0_2_00419220
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00418CDC		0_2_00418CDC
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041B481		0_2_0041B481
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041465C		0_2_0041465C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00413E7C		0_2_00413E7C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00418798		0_2_00418798

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: String function: 0040EF38 appears 38 times

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		0_2_021B0110
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,		1_2_0040180C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,		1_2_00401818
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,		1_2_00401822
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,		1_2_00401826
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,		1_2_00401834
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		12_2_021A0110
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_0040180C Sleep,NtTerminateProcess,		13_2_0040180C
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401818 Sleep,NtTerminateProcess,		13_2_00401818
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401822 Sleep,NtTerminateProcess,		13_2_00401822
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401826 Sleep,NtTerminateProcess,		13_2_00401826
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401834 Sleep,NtTerminateProcess,		13_2_00401834

Source: P2SMn3jloH.exe	Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: utisvaa.2.dr	Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior

Source: P2SMn3jloH.exe	ReversingLabs: Detection: 46%
Source: P2SMn3jloH.exe	Virustotal: Detection: 34%

Source: P2SMn3jloH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa			Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/1

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00405467 SetLastError,GetTickCount,LoadLibraryA,AreFileApisANSI,GetNamedPipeHandleStateW,InterlockedIncrement,EnterCriticalSection,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedExchange,GetPrivateProfileStructA,EnterCriticalSection,InterlockedCompareExchange,EnumCalendarInfoA,LocalUnlock,CancelDeviceWakeupRequest,GetComputerNameW,EnterCriticalSection,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,InterlockedIncrement,GetCharWidthA,SetThreadToken,MoveFileWithProgressA,FindNextVolumeA,GetModuleHandleA,CreateActCtxW,VerifyVersionInfoA,InterlockedDecrement,InterlockedIncrement,MoveFileWithProgressA,WriteConsoleW,GlobalFindAtomW,LoadLibraryW,MoveFileWithProgressA,SetProcessAffinityMask,GetACP,DefineDosDeviceW,GetDiskFreeSpaceExW,InterlockedExchange,GetPrivateProfileStructW,LockFile,_lread,ReadConsoleInputW,GetPrivateProfileIntA,OpenJobObjectW,GetTapeParameters,GetMailslotInfo,CopyFileW,GetSystemWindowsDirectoryA,OpenFileMappingA,GetConsoleAliasesLengthA,SetFileTime,

0_2_00405467

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00405224 CallNamedPipeA,GetThreadPriority,SearchPathA,OpenEventA,FindResourceW,GetVersionExA,SetWaitableTimer,CopyFileW,WriteConsoleInputA,SizeofResource,GlobalDeleteAtom,lstrlenW,GetModuleHandleA,GetWindowsDirectoryA,MapViewOfFileEx,GlobalGetAtomNameA,DebugBreak,LocalUnlock,VerifyVersionInfoW,

0_2_00405224

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Command line argument: PpA

0_2_00416FA0

Source: P2SMn3jloH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb source: P2SMn3jloH.exe, utisvaa.2.dr
Source:	Binary string: (C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb@ source: P2SMn3jloH.exe, utisvaa.2.dr

Data Obfuscation

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_004088F4 push eax; ret		0_2_00408912
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040A483 push ecx; ret		0_2_0040A496
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040EF7D push ecx; ret		0_2_0040EF90
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B1970 push ebx; iretd		0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B1977 push ebx; iretd		0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B198B push ebx; iretd		0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011D0 push ebx; iretd		1_2_00401217
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011D7 push ebx; iretd		1_2_00401217
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011EB push ebx; iretd		1_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A198B push ebx; iretd		12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A1970 push ebx; iretd		12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A1977 push ebx; iretd		12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011D0 push ebx; iretd		13_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011D7 push ebx; iretd		13_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011EB push ebx; iretd		13_2_00401217

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00417194 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00417194

Persistence and Installation Behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\p2smn3jloh.exe

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\utisvaa:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Source: utisvaa, 0000000D.00000002.408489516.00000000001FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior

Source: C:\Windows\explorer.exe TID: 2436	Thread sleep count: 627 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1172	Thread sleep count: 340 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1172	Thread sleep time: -34000s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2680	Thread sleep count: 355 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2680	Thread sleep time: -35500s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2136	Thread sleep count: 511 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5176	Thread sleep count: 217 > 30			Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 627			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 355			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 511			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.343231821.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000002.00000000.312903359.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000002.00000000.266848734.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000002.00000000.312903359.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00408A87 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00408A87

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00417194 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00417194

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B0042 push dword ptr fs:[00000030h]		0_2_021B0042
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A0042 push dword ptr fs:[00000030h]		12_2_021A0042

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00407933 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00407933
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00408A87 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00408A87
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040A40B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0040A40B
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00410E4E SetUnhandledExceptionFilter,		0_2_00410E4E
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00408F5F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00408F5F

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

File created: utisvaa.2.dr

Jump to dropped file

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Memory written: C:\Users\user\Desktop\P2SMn3jloH.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Memory written: C:\Users\user\AppData\Roaming\utisvaa base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_021B0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

0_2_021B0110

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Thread created: C:\Windows\explorer.exe EIP: 57B1930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Thread created: unknown EIP: 5851930			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa			Jump to behavior

Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000002.00000000.348886201.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.270117022.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.265126182.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.302408124.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.333974747.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,		0_2_0041325D
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,		0_2_00418265
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,		0_2_00418231
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,		0_2_00412B6A
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,		0_2_00413374
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,		0_2_00411B01
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,		0_2_00409B37
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		0_2_004183A4
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,		0_2_0041340C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		0_2_004124FC
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,		0_2_00413480
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,		0_2_00418541
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,		0_2_00412DC2
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,		0_2_00413652
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,		0_2_00418691
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,		0_2_0041377A
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,		0_2_00413713
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,		0_2_00411FE0
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,		0_2_004137B6

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00411388 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00411388

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00405224 CallNamedPipeA,GetThreadPriority,SearchPathA,OpenEventA,FindResourceW,GetVersionExA,SetWaitableTimer,CopyFileW,WriteConsoleInputA,SizeofResource,GlobalDeleteAtom,lstrlenW,GetModuleHandleA,GetWindowsDirectoryA,MapViewOfFileEx,GlobalGetAtomNameA,DebugBreak,LocalUnlock,VerifyVersionInfoW,

0_2_00405224

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY